According to Coalfire’s latest report on FedRAMP, U.S. agencies spent $6.5B in cloud services in FY2018, an impressive 32 percent year-over-year increase, with the vast majority of Federal cloud migration still to come. SaaS/PaaS/IaaS providers can gain access to this market with significantly less investment in both time and cost by taking advantage of automation and recent FedRAMP program updates. Learn how.
The Week that Was.
November 2, 2019.
By the CyberWire staff
Facebook and WhatsApp file suit against NSO Group.
WhatsApp is suing NSO Group and its parent company Q Cyber Technologies, accusing NSO of hacking WhatsApp to target 1,400 mobile phones with NSO's Pegasus spyware, CNBC says. The complaint alleges that NSO Group wasn't able to break WhatsApp's encryption, but it gained access to target's devices in order to read the messages after they were decrypted. The buffer overflow vulnerability exploited was described by Check Point and others earlier this year and NSO was already suspected as the culprit behind the attacks, but the lawsuit is the first time Facebook and WhatsApp have publicly accused the company. Facebook also deleted the accounts of NSO employees from its platforms the day after filing the suit, Ars Technica reports.
In a Washington Post op-ed, WhatsApp head Will Cathcart said the attacks targeted "at least 100 human-rights defenders, journalists and other members of civil society around the world." According to the Financial Times, a "considerable number" of those targeted were from Rwanda.
WIRED notes that the plaintiffs may find the case more difficult to argue in court than it might initially appear, because NSO Group doesn't seem to have hacked WhatsApp's servers directly. Rather, the spyware company allegedly reverse-engineered the app to create a malicious version that imitated legitimate WhatsApp traffic. This tool was able to transmit data through WhatsApp's servers as if it were a normal version of the app, enabling delivery of the malicious payload to the target's device.
This seems an apparent violation of WhatsApp's terms of service, under which reverse-engineering and sending malware are prohibited, but WIRED points out that a terms of service violation on its own probably wouldn't constitute a violation of the Computer Fraud and Abuse Act (CFAA). The plaintiffs may try to argue that NSO's misuse of WhatsApp's servers to transmit unauthorized data constituted unauthorized access, but this too could be a difficult case to make. A WhatsApp spokesperson wouldn't provide WIRED with too many details of the company's legal strategy, beyond acknowledging that "[t]his is not a typical CFAA case."
Without proper context, cyber threat intelligence is useless.
The appearance of new threats and security challenges requires effective tools for their timely identification and in-depth analysis. Without proper contextualization, intelligence is completely useless. Context™ – Cyber Threat Intelligence Platform for enterprises and government agencies delivers cyber threat intelligence harvested from millions of data points from the Deep and Dark Web, combined with data science for objective and actionable insights.
Indian nuclear facility's IT systems targeted by the Lazarus Group.
The IT network of India's largest nuclear facility, the Kudankulam Nuclear Power Plant (KKNPP), was reportedly hit by the Lazarus Group's DTrack malware, according to Ars Technica. The incident was first reported by cybersecurity expert Pukhraj Singh after a researcher found evidence of the breach on VirusTotal. Singh had learned of the attack in early September, and he notified the Indian government at the time. He tweeted on Monday that the malware gained "domain controller-level access" and hit "extremely mission-critical targets."
KKNPP officials initially denied that any such attack had occurred, describing it as impossible since the plant's OT systems were completely isolated from the Internet. Observers noted, however, that the statement didn't mention the possibility of an IT-based attack, and on Wednesday the Nuclear Power Corporation of India Limited (NPCIL) stated that the malware did in fact affect IT systems at the plant, the Quint reports. NPCIL said the malware infected an Internet-connected computer used for administrative purposes, but it was isolated from the internal network and plant systems were not affected.
The Lazarus Group's DTrack malware was described by Kaspersky in September. Kaspersky said the malware was being used in India to carry out "both financially-motivated and pure espionage attacks." Asia Times points out that India's nuclear power program is "joined at the hip" to its nuclear weapons program, so the information and access gleaned from a power plant could have been valuable. ZDNet doesn't rule out the possibility that the infection could have been accidental or opportunistic, however.
Check out “Caveat,” the CyberWire's newest weekly podcast addressing cybersecurity law and policy, with a particular focus on surveillance and digital privacy. This podcast is hosted by our own Dave Bittner and Benjamin Yelin, Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security. Each week, Dave and Ben break down important current legal cases, policy battles, and regulatory matters along with the news headlines that matter most. Have a listen.
Russian influence operations in Africa.
Facebook on Wednesday removed three networks of accounts involved in coordinated inauthenticity on behalf of a foreign actor. The accounts originated in Russia and targeted various African countries with influence operations meant to sway local elections and opinions in favor of Russian regional interests. Each of the campaigns reached several hundred thousand followers. Facebook, collaborating with the Stanford Internet Observatory, connected the operations to organizations associated with Russian oligarch Yevgeniy Prigozhin, who was indicted by the US Justice Department last year.
The first of the three networks consisted of thirty-five Facebook accounts, fifty-three pages, seven groups, and five Instagram accounts. This network focused on Madagascar, the Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d’Ivoire, and Cameroon. This operation spent around $77,000 on advertising. The second network was mainly focused on Sudan, and consisted of seventeen Facebook accounts, eighteen pages, three groups, and six Instagram accounts. The third network targeted Libya, and was made up of fourteen Facebook accounts, twelve pages, one group, and one Instagram account.
Foreign Policy observes that Russia's recent approach to information operations in Africa has been largely short-sighted and unsuccessful. Last year, Prigozhin's trolls attempted to influence an election in Madagascar and failed. Earlier this year, Libya arrested two men connected to Prigozhin's operations and accused them of trying to sway Libya's election in favor of Russia's preferred candidate. Prigozhin's information operations supporting Sudan's former dictator Omar al-Bashir also failed, and Bashir is currently in prison.
The New York Times points out, however, that the three campaigns identified by Facebook displayed some new tactics. Most notably, the operations appear to have worked with local people in the targeted countries to generate and post more authentic content. Alex Stamos, director of the Stanford Internet Observatory, believes the Russians are already using this model in the US, and warns that we should expect to see more of this approach in the future. Stamos told the Times that "[w]e will see a model where American groups are used as proxies, where all the content is published under their accounts and their pages."
Try cloud-native network detection and response for free!
ExtraHop Reveal(x) Cloud is SaaS-based NDR for AWS, giving you complete visibility, real-time detection, and automated threat response in the cloud. Request your free 30-day trial today.
Fancy Bear goes after anti-doping authorities.
Microsoft reported on Monday that APT28 (also known as "Fancy Bear" and "Strontium," and widely attributed to Russia's GRU) is again targeting anti-doping authorities and other sporting organizations in the run-up to the 2020 Summer Olympics in Tokyo. Microsoft says at least sixteen organizations across three continents have been targeted. Some of the attacks succeeded, but most failed. The group is using its familiar tactics of "spear-phishing, password spray, exploiting internet-connected devices and the use of both open-source and custom malware." Microsoft recommends enabling two-factor authentication on all accounts, learning how to identify phishing attempts, and turning on security alerts.
Johannesburg doesn't cave to extortionists.
The city of Johannesburg confirmed last Thursday that its networks had been breached, and the city shut down its websites and online services while the incident was investigated. According to ZDNet, employees first believed they had been hit by ransomware, since their computers displayed a ransom note. However, the hackers instead claimed to have stolen "all passwords and sensitive data, such as finance and personal population information," which they threatened to release if the city didn't pay four bitcoins (around $30,000) by 5:00 PM on Monday, October 28th. The city refused to pay, and there's no sign yet that the attackers have released any data.
Thanks to all who connected at the 6th Annual Women in Cyber Security reception
The CyberWire just celebrated the contributions and successes of women in the cybersecurity industry with 400 women from across the nation at 6th Annual Women in Cyber Security reception. Thank you to our sponsors who helped make the evening possible: KnowBe4, McAfee, Northrop Grumman, Trinity Cyber, Centurylink, Cooley, Exelon, Recorded Future, Aon, CyberArk, FTI Consulting, ObserveIT, Saul Ewing Arnstein & Lehr, Synack, T. Rowe Price, Booz Allen, DataTribe, DeltaRisk, Dragos, Invictus, Maryland Innovation & Security Institute, Lewis, Verodin, CyberSecJobs, Edwards Performance Solutions, Katzcy, MindPointGroup, NetAbstraction and Shared Assessments.
Raccoon is a user-friendly malware-as-a-service offering.
Cybereason describes the "Raccoon" infostealer, a popular strain of commodity malware that emerged earlier this year. Raccoon doesn't do anything particularly novel or sophisticated, but it's easy to use, well-marketed, and provides excellent customer service around the clock. It operates under a malware-as-a-service (MaaS) model with customers paying $200 per month. Recorded Future found in July that Raccoon was one of the most-mentioned pieces of malware on underground forums this year.
Raccoon is usually delivered either by exploit kits, phishing emails containing malicious Word documents, or bundled with legitimate software. Once it's on a system, it targets stored data from thirty-three different browsers, including Chrome, Firefox, Opera. These data include usernames, passwords, and credit card information. It also goes after sensitive information in Microsoft Outlook accounts, and searches for cryptocurrency wallets.
Cybereason thinks Raccoon's developers are Russian, but their support team offers assistance to both Russian and English-speaking customers. The malware is believed to have infected more than 100,000 systems within its short lifespan. Cybereason's researchers conclude that Raccoon's popularity is an indicator of the growing shift toward MaaS offerings, and they believe this trend will continue into next year.
Version 7 of the PHP programming language was patched against a vulnerability that could have allowed remote code execution under certain circumstances, Naked Security reports.
ZDNet says European authorities patched two vulnerabilities in the electronic IDentification, Authentication and trust Services (eIDAS) system. The system is designed to allow EU states, companies, and citizens to make secure, cross-border electronic transactions, and the vulnerabilities could have allowed an attacker to impersonate any eIDAS user.
Crime and punishment.
A 21-year-old Indonesian man was arrested for carrying out ransomware attacks and other criminal activities that netted him at least three hundred bitcoins, according to BleepingComputer. The police were tipped off after he hacked into an unnamed organization in San Antonio, Texas. If convicted, he faces up to ten years in prison.
A 26-year-old man from Florida and a 23-year-old man from Canada pleaded guilty in US Federal court to hacking Uber and Lynda.com in 2016, the New York Times notes. They're being charged with extortion in addition to hacking, since they tried to coerce security officials at the targeted companies into paying hundreds of thousands of dollars. Uber controversially paid the hackers through a bug bounty website, while Lynda.com refused and disclosed the breach.
Two Coalfire pentesters arrested in an Iowa courthouse have had their charges reduced from felony burglary to trespassing, KCCI Des Moines reports. Coalfire's CEO called the situation "completely ridiculous;" the company is pushing for all charges to be dropped.
Courts and torts.
Facebook filed a $2 million lawsuit in the Northern District of California against two domain registration companies, OnlineNIC and ID Shield, claiming that the companies are infringing on Facebook and Instagram's trademarks by refusing to take down cybersquatting domains, CNET reports. Some of these domains appear to be intended for use in phishing attacks, including "facebook-login[.]com" and "singin-lnstargram[.]com."
The Australian Competition and Consumer Commission is suing Google, accusing Mountain View of misleading customers about location data collected through the Android operating system, NPR says. The watchdog alleges that Google was intentionally silent about the fact that users needed to turn two settings off in order to disable data collection, while consumers were led to believe that turning off a single "Location History" setting would do the trick.
The US Department of Health and Human Services fined Jackson Health System in Miami $2 million for three HIPAA violations, the Miami Herald reports.
Policies, procurements, and agency equities.
The Australian Cyber Security Centre (ACSC) warned of an "ongoing and widespread" email phishing campaign spreading the Emotet banking Trojan. The agency said there have been at least nineteen recent Emotet infections in Australia, some of which involved the Trickbot malware as well. The infections were spread across "a variety of sectors in the Australian economy, including critical infrastructure providers and government agencies."
The European Commission on Tuesday published self-assessment reports by Facebook, Google, Microsoft, Mozilla, Twitter, and seven European trade associations. The reports summarize the steps the companies and associations have taken under the Commission's Code of Practice on Disinformation. A statement by the Commission commended the companies for their cooperation and commitments, but added that "progress varies a lot between signatories and the reports provide little insight on the actual impact of the self-regulatory measures taken over the past year as well as mechanisms for independent scrutiny."
The US Federal Communications Commission (FCC) proposed rules that would block communications companies from using money they've acquired from the FCC's Universal Service Fund (USF) "to purchase equipment or services from companies posing a national security threat, like the Chinese companies Huawei Technologies Co. and ZTE Corp." More disincentive than ban, the rules would also require USF recipients "to remove existing equipment and services from designated companies from their networks, and seek comment on how to provide financial assistance to these carriers to help them transition to more trusted suppliers."
Xinhua says China passed a law on the use of cryptography within the country. Systems that store and transmit state secrets will be required to use "core and common cryptography," while "citizens, legal persons and organizations" may use "commercial cryptography." Engadget observes that while the law ostensibly encourages the development of secure encryption technology, it bans people from designing systems that might "harm the state security and public interests or other people's rights and interests," and requires the government to examine and approve commercial cryptography products before they go to market.
Fortunes of commerce.
The New York Times reports that hundreds of Facebook's employee's sent Mark Zuckerberg an open letter criticizing the CEO's stance on political ads. Zuckerberg has been defending Facebook's policy of refusing to remove misleading or false political ads, arguing that this would amount to censorship.
Twitter, on the other hand, has decided to stop accepting political ads altogether, the Washington Post says. The company's CEO Jack Dorsey tweeted that "[w]hile internet advertising is incredibly powerful and very effective for commercial advertisers, that power brings significant risks to politics, where it can be used to influence votes to affect the lives of millions."
Dorsey argued that political reach on Twitter should be organically earned, and paid advertisements artificially manipulate that process. He added that "machine learning-based optimization of messaging and micro-targeting, unchecked misleading information, and deep fakes" are difficult enough to deal with on their own, and adding money to the equation only brings further complexity to those issues. There will be some exceptions to the ban, including ads for voter registration. The final policy will go into effect on November 22nd.
The Aspen Cybersecurity Group announced that fifteen major companies have committed to improving the cybersecurity talent pipeline by expanding the targeting of job postings and applicants and by simplifying career paths. The committed companies are Apple, Cloudflare, Cyber Threat Alliance, Duke Energy, Facebook, Google, IBM, IronNet, Johnson & Johnson, Northrop Grumman, Symantec, Unisys, Verizon.
Today's issue includes events affecting Australia, Cameroon, Canada, Central African Republic, China, Côte d’Ivoire, Democratic People's Republic of Korea, Democratic Republic of the Congo, European Union, Georgia, India, Indonesia, Israel, Japan, Libya, Madagascar, Mozambique, Russia, Rwanda, South Africa, Sudan, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.