How can industrial organizations strengthen defenses and prepare for the changing threat landscape?
One of the key findings from the Dragos’ 2018 ICS Year in Review was the compromise of several industrial control equipment manufacturers enabling potential supply-chain threats and vendor-enabled access to ICS networks. Download the Dragos 2018 ICS Year in Review to learn more on what we know and how you can be better prepared.
The Week that Was.
May 25, 2019.
By the CyberWire staff
Fancy Bear watch.
Fancy Bear (that is, Russia's GRU) is actively exploiting malware US Cyber Command reported to VirusTotal last week, CyberScoop reports. Kaspersky Lab says the malware is targeting Central Asian countries, and ZoneAlarm saw the malware's hash last week in an attack in the Czech Republic. The two security firms were the only ones to flag the malware as malicious when it was initially uploaded to VirusTotal. Kaspersky and ZoneAlarm both attribute it to APT28 based on similarities to the threat group's XTunnel tool, which Fancy Bear used in the 2016 DNC hack. Cyber Command posted the malware as part of its malware alert program, but didn't mention which actor it was connected to. CyberScoop says many found the warning useful, and welcomed CYBERCOM's heads-up, although some hope the command begins to share additional context with its releases in the future, when feasible.
ESET has a description of Zeborcy malware, a Fancy Bear tool ESET calls the threat actor's "favorite backdoor."
The UK's National Cyber Security Centre has warned sixteen NATO allies of Russian activity directed against infrastructure and government networks (ZDNet). This week's disclosure came from Secretary of State for Foreign Affairs Hunt. France 24 adds that NATO Secretary General Stoltenberg warned Russia that NATO has a "full range" of responses to cyberattacks available. That's effectively just a restatement of long-standing NATO strategy and policy. The Alliance is committed to proportionality of response, not symmetry.
Get the In-Depth Guide to Operationalizing Threat Intelligence.
Threat intelligence is critical but often difficult to manage, automate, or operationalize. Threat Intelligence Gateways are an exciting, emerging network security technology that take the heavy lifting out of making threat intelligence actionable, operational, and useful. Learn about how this technology is turning threat intelligence into action to block threats at scale in the whitepaper, Operationalizing Threat Intelligence: An In-Depth Guide to Threat Intelligence Gateways.
OGUsers hacked, because there's no honor among thieves.
OGUsers, a popular forum that, despite its anodyne self-description, traded digital contraband, was hacked by other criminals, Motherboard reports. The site describes itself as "a community driven online market place forums for virtual goods. We host a marketplace for OG Gamertags, Instagram accounts, Kik, and much more." Many of the community's members appear to be gamers and low-level scammers out for a quick buck and some virtual street cred. KrebsOnSecurity describes the site simply as "an account hijacking forum." OGUsers' administrator said the hacker gained access through a custom plugin, stole a backup from from December 26, 2018, and then posted the data to a different hacker forum. Motherboard says the backup contained "usernames, passwords hashed with the MD5 algorithm, emails, IP addresses, source code, website data, and private messages." KrebsOnSecurity confirmed that the database holds the information of about 113,000 OGUsers' accounts.
The site administrator, "Ace," wrote that "OGUsers has been online close to 3 years now and this the first time any breach has occurred. I do understand everyone's frustration and I am deeply sorry this has all happened recently. You must realize other sites such as Twitter, Facebook, Dropbox, Forums you have used in the past, and many more have been breached at least once. People are targeting the site 365 days a year." He concluded with contrition and reassurance. "Again," he wrote, "I am deeply sorry this occurred and I will do my best to make sure it never happens again." Many users are abandoning the site, assuming sensibly that if a hacker can identify them, then so can the police.
BlackWater, son of MuddyWater.
Cisco Talos has released a report on the BlackWater cyber espionage campaign. BlackWater is active largely in the Middle East, and it's associated with "persistent threat actor" MuddyWater. BlackWater is, researchers say, unusually evasive, adding three steps to MuddyWater's familiar pattern: "an obfuscated Visual Basic for Applications (VBA) script to establish persistence as a registry key," then a PowerShell stager designed to look like a red-teaming tool, and communication with a different command-and-control server than the one used in the initial attack stages. MuddyWater has been attributed by Mitre and others to Iran.
Global Threat Report: Year of the Next-Gen Cyberattack
Our Threat Analysis Unit researched the current state of cyberattacks across our customer base with our IR partners. See the results.
TeamViewer's compromise seems to have been an espionage operation.
Remote connectivity solutions provider TeamViewer was indeed compromised in 2016, Spiegel reports, but did not disclose the incident at the time since in the company's view it affected only its infrastructure as opposed to its customers. The German company said it had stopped the attackers before they caused any serious damage, and that there's no evidence that they compromised source code, although they did have access to it (SC Magazine).
The attack is attributed to Chinese intelligence services, based on the hackers' use of the Winnti backdoor. Winnti is primarily associated with APT17 (also known as "Axiom," "Wicked Panda," and the "Winnti Group"), although the malware has been observed being used by other Chinese-linked threat actors. ZDNet believes that APT17 or APT10 are the most likely culprits in the TeamViewer hack.
enSilo found that APT10 ("Stone Panda") had been unusually active in April, and not against a European target. The samples inspected came from the Philippines, as is consistent with APT10's longstanding interest in Southeast Asia. The group distributed a version of the Quasar RAT (modified to incorporate the ShareSploit password stealer) as well as the PlugX scouting tool.
Outsourcing influence operations.
Facebook has shut down inauthentic accounts allegedly run by Israeli political marketing firm Archimedes Group. The targets of its political fake news were primarily in various African nations. Archimedes Group had spent $812,000 in advertising for the campaign, which ran from December 2012 through April 2019. The social network shut down "65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts," which reached a total of around 2.8 million user accounts. DFRLab notes that a number of the pages posed as fact checkers focused on fighting disinformation. Regarding Archimedes Group, Facebook says the Israeli company "and all its subsidiaries are now banned from Facebook, and it has been issued a cease and desist letter."
Is your company passionate about empowering women to succeed in the cyber security industry?
The CyberWire’s 6th Annual Women in Cyber Security reception is a networking event that highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships while building new ones. Consider sponsoring the event. Limited sponsorships are available. Visit our website to learn more.
Security Scorecard has a review of major US and European political parties' cybersecurity posture. There's room for improvement across the board, but the US Democrats lag the Republicans in security preparation. French political parties earned the lowest overall scores, and also trailed in "application security" and "DNS health." Poland's "network security" was weak, and Spain showed poor "patching cadence." Swedish political parties did best: tops overall, and best at application security, DNS health, and patching cadence.
Huawei and other soldiers in the Sino-American Cold CyberWar.
Huawei is now on the US Entity List, and US companies can no longer do business with the Shenzhen tech giant without a special license from the Bureau of Industry and Security. But Huawei anticipated this particular rainy day, and is said to have squirreled away a year's worth of the US goods it depends on (South China Morning Post). That won't help with the suspension of the company's Android license, which Google announced last weekend (Verge). Huawei immediately lost access to Android updates, and the next versions of its devices will no longer have access to Gmail or the Play Store. Some of that access has been temporarily restored in a ninety-day reprieve (SecurityWeek). But US officials suggest that neither the company nor the Chinese government should misread this as a sign of softening. Commerce Secretary Ross says it's just "breathing space" to give US firms an opportunity to make alternative arrangements.
The BBC says British chip giant ARM will join Intel and Qualcomm in stopping business with Huawei, and according to the Washington Post Vodafone and BT Group have decided to "suspend plans" to include Huawei phones in their 5G networks. The ARM decision is regarded as particularly damaging. Huawei denies posing a security threat and says it considers the blacklisting "politically motivated."
The Telegraph lists other Chinese companies thought likely to wind up in Huawei's boat: surveillance equipment vendors Hikvision and Dahua, facial recognition providers CloudWalk and SenseTime, drone maker DJI, and, of course, Huawei's smaller rival ZTE.
For its part, Huawei sees its near-term future in the undersea cable market, and it's either laying or upgrading some one hundred such cables (Axios). It's worth noting that a proposed Huawei cable to the Solomon Islands brought the company into early, open conflict with Australia. Huawei didn't get the business, and that was due to Australian objections (and Australian competition) (South China Morning Post).
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Hacktivism no longer hacks it?
Of the three traditional groupings of threat actors--criminals, hacktivists, and nation-states--one, hacktivists, seems to have gone into eclipse. IBM's X-Force looked at hacktivist actions that were credibly disclosed and publicly reported, and in which "a specific group claimed responsibility for the incident and where there is quantifiable damage to the victim." They found a nearly 95% drop in such attacks since 2015. In fact, none have taken place in 2019. X-Force is inclined to think this is more quiescence than disappearance, and that hacktivism could reappear under the right conditions, but there seem to be trends that make this unlikely. More effective law enforcement, the arrest of some hacktivist leaders, and a lack of consensus about the causes hacktivists ought to take up are are obstacles to a resurgence.
Mozilla released version 67 of Firefox on Tuesday. In addition to patching two critical and eleven high-impact security flaws, the new version includes an optional privacy feature used by the Tor browser, which helps prevent advertisers from tracking users across the Internet based on the size of their browser windows (Naked Security). It also features an option to detect and block known cryptominers (Decipher).
Crime and punishment.
The US Air Force is unhappy with the US Navy. Concerned about leaks surrounding the trial of SEAL Chief Edward Gallagher for an alleged war crime, and pursuant to a gag order imposed by the military judge hearing the case, the Navy judge advocate prosecuting the case sent emails to, among others, defense counsel and at least one editor that carried a tracking image below the signature block. The tracker was designed to identify the recipient machine's IP address and report it to a server in San Diego, where the trial is being held. It normally requires a subpoena or court order to acquire IP addresses or other metadata. An NCIS spokesman said that, quote, "during the course of the leak investigation, NCIS used an audit capability that ensures the integrity of protected documents. It is not malware, not a virus and does not reside on computer systems. There is no risk that systems are corrupted or compromised." One of the defense attorneys involved in the trial is an Air Force judge advocate, and the Air Force is treating the incident as an intrusion into its networks (Air Force Times).
The US Department of Justice on Thursday filed seventeen more charges against Julian Assange, alleging various violations of the Espionage Act. Unlike the first charge, which alleged that Assange offered hacking assistance to Chelsea Manning, the new charges have raised concerns about press freedom and First Amendment rights, since ;they focus on illegally receiving and publishing classified information. The Justice Department's counterargument is that "Assange is no journalist," particularly because the documents he released ncluded unredacted names and endangered US human sources around the world (Washington Post). WIRED and others worry that "a successful prosecution of Assange would establish a precedent that publishing sensitive national security materials is a crime, full stop."
Courts and torts.
CNEX Labs, a Silicon Valley chip start-up, alleges in pretrial filings that a senior Huawei executive ordered Huawei personnel to steal CNEX intellectual property. Xiamen University is also alleged to have been complicit in the theft (Wall Street Journal).
Ireland's Data Commission has opened an investigation of Google. The Commission suspects GDPR violations relating to the company's processing of personal data for its Ad Exchange program (Computing). Marketing Land notes that the outcome of the inquiry could have far-reaching implications for the online advertising industry.
Policies, procurements, and agency equities.
At the end of last week the European Union enacted a sweeping sanctions regime that it hopes will impose serious and swift consequences on organizations or individuals found responsible for cyber attacks against the EU and its allies. The penalties are principally travel bans and asset freezes. The EU hopes the measure will have some deterrent effect against any who would interfere with this week's elections, which conclude Sunday (Engadget). The UK pushed for the measure's enactment, and is expected to play an important role in its enforcement (Express).
A group of US senators have proposed a bill that would give $700 million to rural telecoms providers to help offset the cost of losing access to Huawei and ZTE's relatively cheap equipment (AppleInsider).
Fortunes of commerce.
Equifax continues to suffer from its 2017 breach. Moody's downgraded the credit bureau's outlook from "stable" to "negative," citing long-term effects on Equifax's security and infrastructure costs. CNBC quotes Moody's as saying this is the first time a cyber incident has driven such a downgrade.
The US continues to be serious about strictures against Huawei, as markets sort out the ban's consequences. Several Chinese companies not yet among the formally blacklisted "Entities," notably Hikvision and Dahua, took a serious financial bath at midweek (Bloomberg).
European firms competing in the Chinese market report that the incidence of forced technology transfers to local companies is rising (Wall Street Journal).
The security concerns that induced the US Government to place Huawei on its Entity List have also led to a noticeable reduction in approvals of Chinese nationals' visas for work in the semiconductor industry (Wall Street Journal).
Mergers and acquisitions.
Florida-based KnowBe4 has acquired CLTRe (and pronounce its name "culture"). Norwegian-based CLTRe specializes in the assessment and measurement of security culture in organizations, and KnowBe4 intends to integrate CLTRe's Security Culture Framework into its offerings.
BAE's FAST Labs represent an effort to transition start-ups' innovations to market quickly, and without acquiring the start-ups themselves (Breaking Defense). FAST's focus areas are advanced electronics, autonomy, electronic warfare, sensors and processing, and, of course, cyber.
Today's issue includes events affecting Australia, Brazil, China, Egypt, European Union, France, Germany, Israel, Myanmar, NATO/OTAN, Poland, Qatar, Russia, South Africa, United Kingdom, United States.
A reminder: Monday is the annual observance of Memorial Day, and we'll take a hiatus for that day only, returning as normal on Tuesday. In the meantime, if you're in the US, enjoy the holiday, and wherever you are, spare a thought to remember the sacrifices of veterans and their families.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.