Try cloud-native network detection and response for free!
ExtraHop Reveal(x) Cloud is SaaS-based NDR for AWS, giving you complete visibility, real-time detection, and automated threat response in the cloud. Request your free 30-day trial today.
The Week that Was.
October 26, 2019.
By the CyberWire staff
Turla stole APT34's tools and hijacked its infrastructure.
A joint report issued on Monday by the UK's National Cyber Security Centre and the US National Security Agency states that the suspected Russian APT Turla stole tools from the Iranian group APT34 (also known as OilRig) and used them in false-flag operations targeting victims in the Middle East that would have been of interest to both Turla and APT34. The victims included "military establishments, government departments, scientific organisations and universities." The NCSC and NSA say the Iranian crew was "almost certainly not aware of, or complicit with, Turla’s use of their implants." Turla also compromised Iranian hacking infrastructure and used it to deploy its own malware.
The agencies note that their observations are reinforced by private sector findings, such as Symantec's report in June which said Turla may have hijacked APT34's infrastructure and used it in attacks against a Middle Eastern target. Doug Cress, a division chief within the NSA’s Cybersecurity Directorate, told Reuters that "our main intent right here is to point out that there’s a lot of false flagging going on out there and we want to make sure our national security systems that we’re trying to defend are aware."
A spokesman for the Russian embassy in the UK said media publications on the matter are "an unsavoury interpretation" of GCHQ and NSA's statement, adding that the reports are meant to "drive a wedge" between Russia and Iran, according to Reuters.
Magecart Group 5 linked to Carbanak.
Malwarebytes has identified ties between Magecart Group 5 and the Carbanak criminal threat actor. The researchers examined domains used by Magecart Group 5 and linked them to domains used in Dridex phishing campaigns which distributed Carbanak's malware. The email address used to register these domains was also linked to a phone number mentioned in a blog post on Carbanak by Brian Krebs.
Magecart Group 5 differentiates itself from other card-skimming groups by launching supply chain attacks against vendors of website components, particularly those that service e-commerce sites. This allows them to compromise any site that uses those components, rather than having to hack each site individually. Carbanak (also known as FIN7) is a sophisticated group well-known for hacking banks and ATMs, as well as carrying out other financially motivated crimes.
Without proper context, cyber threat intelligence is useless.
The appearance of new threats and security challenges requires effective tools for their timely identification and in-depth analysis. Without proper contextualization, intelligence is completely useless. Context™ – Cyber Threat Intelligence Platform for enterprises and government agencies delivers cyber threat intelligence harvested from millions of data points from the Deep and Dark Web, combined with data science for objective and actionable insights.
The Winnti Group is using an MSSQL backdoor.
ESET describes a backdoor called "skip-2.0" used by the Chinese APT known as the "Winnti Group" which targets MSSQL Server 11 and 12, which are the most commonly used versions of the software. The backdoor "allow[s] the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs." It achieves this by hijacking the function MSSQL uses to validate passwords. The Register notes that skip-2.0 requires administrative privileges on a system, and while the backdoor is stealthy, it's easy to find if you know what you're looking for.
The Winnti Group is a term for a group or groups of Chinese hackers also referred to as Wicked Panda, Blackfly and Suckfly, APT41, and BARIUM. Each company tracking the hackers has a different snapshot of their activity, but ESET notes that their definition is broad and includes all the subgroups based on their malware and TTPs. They also point out that the Winnti Group shouldn't be confused with the Winnti malware, which is used by the group.
VPN providers breached.
Hackers stole private encryption keys from NordVPN, TorGuard, and VikingVPN, Ars Technica reports. In NordVPN's case, the company said an attacker compromised a server in Finland used by the company (but owned by a third-party data center). The data on this server wasn't encrypted, so the attacker was able to steal three encryption keys, including a now-expired TLS key. That key could potentially have been used in a highly targeted man-in-the-middle attack, but it wouldn't have been able to decrypt data. The breach occurred in March 2018, and the NordVPN learned of the incident in April 2019. The company took several months to audit thousands of its other servers before alerting the public. Ars Technica points out that the company doesn't detail what the other two keys were used for.
TorGuard stated that it experienced an "isolated breach" in 2017, during which the "server was not compromised externally and there was never a threat to other TorGuard servers or users." VikingVPN still hasn't commented on the reports.
Naked Security notes that the situation still isn't very clear, and that it's possible the incidents were related.
A Former CIA Cyber Threat Analyst Shows You How to Make Your Organization a Hard Target
Having spent over a decade as part of the CIA’s Center for Cyber Intelligence and the Counterterrorism Mission Center, Rosa Smothers knows the ins and outs of leading cyber operations against terrorists and nation-state adversaries. She has seen first-hand how the bad guys operate, she knows the threat they pose, and she can tell you how to use that knowledge to make organizations like yours a “hard target”.
Get the inside (spy-)scoop and find out why Rosa, now KnowBe4’s SVP of Cyber Operations, encourages organizations like yours to maintain a healthy sense of paranoia. Learn more.
Criminals are impersonating Fancy Bear.
ZDNet discovered that a criminal group is launching DDoS attacks for purposes of extortion while posing as the Russian APT Fancy Bear. The attackers demand two bitcoins (around $15,000) and say the ransom will increase by one bitcoin for each day the money isn't paid. The ransom note states that "we are the Fancy Bear," and encourages victims to Google them "to have a look at some of our previous work." (ZDNet notes that Fancy Bear has never been known to launch DDoS attacks.)
ZDNet was tipped off to the attacks by a reader, and the incidents were confirmed by Radware, Link11, and Group-IB. The attacks are mostly aimed at financial companies, with some targeting entertainment and retail businesses. Most of the victims are in Singapore, South Africa, and Scandinavian countries.
Pilz hit by ransomware.
German automation tool manufacturer Pilz has been struggling to recover from a ransomware attack that hit the company on Sunday, October 13th. ZDNet says the BitPaymer ransomware affected all Pilz locations across seventy-six countries, and it took more than a week for the company to recover its product orders and delivery systems. The attack affected business systems, not production processes.
Firefox 70 launched on Tuesday with a number of new security and privacy features, according to VentureBeat. The browser will now block social tracking by default and offer a Privacy Protection report to show users what's been blocked.
The modern workplace is infiltrated everyday — bring your own device policies and increased vendor access have introduced a whole new layer of cyber risk to the office environment. Since no vendor or customer should be automatically trusted, Zero-Trust frameworks have become more prevalent. How can organizations best protect themselves and their networks? Join LookingGlass’ Eric Olson & James Carnall for a webinar discussing best practices and war stories at 1 pm ET October 31, 2019.
Crime and punishment.
Czech police and counterintelligence services shut down a Russian cyberespionage operation conducted through the Russian Embassy in Prague, Radio Free Europe/Radio Liberty reports. Russia's FSB is thought to be behind the operation. Michal Koudelka, head of the Czech Republic's BIS intelligence service, said "[t]he network was completely destroyed and decimated," according to SecurityWeek. He added that it was connected to an espionage network in other, unnamed European countries.
The Telegraph reports that British police will begin using bots to predict the locations of hate crimes based on Twitter posts. The bots will use AI technology developed by Cardiff University's HateLab project to find posts deemed hateful and note the location were they were posted from, then map out trends to help police focus their efforts. The system is based on research which found that the number of "hate tweets" originating from an area correlated with the number of crimes targeted at a race, religion, or ethnicity that occurred in that area.
Julian Assange's lawyers are arguing that Britain should block Assange's extradition to the United States on the basis that the charges against him are political offenses and that the prosecution is politically motivated, the Washington Post reports.
Courts and torts.
The FTC announced on Tuesday that it had barred Retina-X from selling three of its apps that were used as "stalkerware" unless the company can ensure the apps are not used maliciously. VICE notes that while companies like Retina-X market these type of products as legitimate monitoring tools, the software is frequently used in abusive relationships. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said that "[a]lthough there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses." Retina-X will also be required to delete any data it acquired from the apps.
The Wall Street Journal reports that US Senators Wyden (Democrat of Oregon) and Warren (Democrat of Massachusetts) are asking the FTC to investigate whether Amazon bears any responsibility in the Capital One breach. In a letter on Thursday, the Senators said the company failed to heed warnings about the server-side request forgery vulnerability in its AWS servers that led to the breach.
AT&T is being sued for $1.8 million over SIM swapping attacks that led to a California man having his identity and life savings stolen, Vice reports. The complaint says the plaintiff was targeted by SIM swapping attacks four times during 2018 and 2019, and it adds that a criminal investigation found that two AT&T employees were paid by the hackers to carry out the swaps. One of the employees was apparently responsible for conducting twenty-nine unauthorized SIM swaps in May 2018, while the other carried out twelve unauthorized swaps during the same month.
Thanks to all who connected at the 6th Annual Women in Cyber Security reception
The CyberWire just celebrated the contributions and successes of women in the cybersecurity industry with 400 women from across the nation at 6th Annual Women in Cyber Security reception. Thank you to our sponsors who helped make the evening possible: KnowBe4, McAfee, Northrop Grumman, Trinity Cyber, Centurylink, Cooley, Exelon, Recorded Future, Aon, CyberArk, FTI Consulting, ObserveIT, Saul Ewing Arnstein & Lehr, Synack, T. Rowe Price, Booz Allen, DataTribe, DeltaRisk, Dragos, Invictus, Maryland Innovation & Security Institute, Lewis, Verodin, CyberSecJobs, Edwards Performance Solutions, Katzcy, MindPointGroup, NetAbstraction and Shared Assessments.
Policies, procurements, and agency equities.
The UK's National Cyber Security Centre (NCSC) released its 2019 Annual Review, summarizing what the agency has been up to between September 2018 and August 2019. During that period, the NCSC has handled 658 cyber incidents, taken down 177,335 phishing URLs, and helped 2,886 small businesses in the UK carry out simulated cyber exercises. It also released the results of a survey conducted by Ipsos MORI on behalf of the NCSC and the Department for Digital, Culture, Media, and Sport which found that "people are concerned, confused and, to some extent, fatalistic that they will become victims of cyber crime." Seventy percent of the 2,700 respondents said they believe they will fall victim to at least one type of cyber crime within the next two years, and thirty-seven percent agreed that losing money or personal information online has become unavoidable.
C4ISRNET reports that the US Defense Department has replaced the outdated floppy disks in the system used to control nuclear missile launches. In June, the Strategic Automated Command and Control System (SACCS) switched to a "highly-secure solid state digital storage solution."
The deputy assistant director of the FBI’s Counterintelligence Division, Nikki Flores, briefed the House Judiciary Committee on election security preparations. Flores said that following the 2018 midterm elections, the Bureau's Foreign Influence Task Force expanded its focus from Russian operations to those of other countries, including China and Iran. She added that so far, no foreign adversary has tried to alter US vote counts, and the prevailing threat is information operations designed to impact public opinion. She stressed the importance of cooperation with social media companies in combating these operations: the FBI provides these companies with "actionable intelligence" regarding abuse of their platforms, while the social media companies provide the FBI, and by extension the wider Intelligence Community, with greater insight into which accounts are involved in these operations.
The Washington Post says US Senators Cotton (Republican of Arkansas) and Schumer (Democrat of New York) sent a letter to Joseph Maguire, the acting director of national intelligence, inquiring whether the Chinese-owned social network TikTok posed a national security threat or if its moderators are censoring content. With regard to censoring content, TikTok told BuzzFeed that its moderators are based in the US, and that it has never received any requests from the Chinese government to remove content. The company said the reason content related to the Hong Kong protests doesn't go viral on the platform is because TikTok's user base is largely uninterested in the subject matter. BuzzFeed's investigation and tests seem to bear out TikTok claims.
Fortunes of commerce.
Reuters reports that the Czech Republic seems likely to allow Huawei to participate in building out the country's 5G infrastructure. Czech Industry Minister Karel Havlicek "[t]he technology which is the foundation of building 5G networks has a global character and I cannot imagine that we would have different parameters set for the approach to Huawei or any other company in the Czech Republic than in Germany or Poland."
McAfee plans to lay off 107 employees at its Hillsboro, Oregon, location. The layoffs seem to involve software engineers. The company told the Oregonian that it "must balance the needs of the business with those of our workforce." The Oregonian cites a person familiar with McAfee's operations as saying that there are no similar job cuts planned at other locations.
Mergers and acquisitions.
Tokyo-based Trend Micro has acquired Sydney-based cloud security provider Cloud Conformity for $70 million. CRN notes that the acquisition comes as Trend Micro competes with Palo Alto Networks in cloud security, after Palo Alto acquired Cloud Conformity's competitor RedLock last year.
CRN reports that data analytics company Sumo Logic is in negotiations to acquire Austin-based cybersecurity startup JASK.
Maryland-based endpoint protection specialist Attila Security is working on a $4 million funding round, and according to the Baltimore Business Journal are planning a move from their current home in the Data Tribe start-up studio to quarters in nearby Columbia.
New York-based business risk intelligence firm Flashpoint has raised a total of $34 million, $6 million of which is from investors and $28 million is from Bank of Montreal’s Technology and Innovation Banking Group, SecurityWeek reports.
DarkMatter's founder, Faisal Al Bannai, is divesting all his holdings in the Abu Dhabi-based company, Gulf Business reports. He says he's confident the company will continue on its profitable trajectory under the new owners.
And security innovation.
The Telegraph reports that researchers at Google and IBM are arguing over Google's claim to have achieved quantum supremacy, that is, the ability of a quantum computer to perform a task that can't be carried out by even the fastest traditional computer. In a paper published in Nature, Google's researchers said their 53-qubit quantum computer performed a calculation in three minutes and twenty seconds that would have taken a supercomputer at least 10,000 years to complete. In a blog post published on Monday, IBM's researchers countered that "an ideal simulation of the same task can be performed on a classical system in 2.5 days and with far greater fidelity." Other critics pointed out, according to the New York Times, that Google's experiment had a very narrow application and wouldn't have many practical uses.
Naked Security concludes that quantum computing as a whole will probably have highly specialized applications, at least in the near future, but adds that the squabble between the two companies "feels like a PR exercise." Such squabbles are perhaps best thought of as opinion in a state of PR superposition. (Which, it occurs to us, might be a new way of addressing fake news: Instead of saying "no comment," or, "that statement is no longer operative," the press agent could say, "that assertion remains in a state of superposition." We know, we know, that would be more a classical wisecrack than a quantum joke, but cut some slack. Professor Planck would get it.)
Today's issue includes events affecting Australia, China, Czech Republic, Finland, Germany, Iran, Japan, Russia, Singapore, South Africa, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. In this issue, researchers at Juniper Networks review their work tracking a Trojan they call "Masad Stealer." It uses the Telegram instant messaging platform for part of its command-and-control infrastructure. Mounir Hahad is head of Juniper Threat Labs at Juniper Networks, and he joins us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.