Executives are the backdoor into your organization. Who’s patching that?
Every day, companies are under cyberattack and the personal lives of executives are a weak spot. For too long corporate teams have been unable to protect the executives in their personal lives due to privacy laws/implications and SEC impacts. BlackCloak provides a Concierge Cybersecurity™ solution for these evolving threats and offers a customized cloak of protection to protect corporate executives in their personal lives. Enlist BlackCloak for your executive cyber protection.
The Week that Was.
February 1, 2020.
By the CyberWire staff
Turkish threat actors suspected in Sea Turtle attacks.
Reuters on Monday cited anonymous UK and US officials as saying that hackers acting in the interests of the Turkish government are suspected to be responsible for a large-scale DNS hijacking campaign that targeted government agencies, companies, and other organizations. The officials based their assessment on the fact that the campaign's targeting was aligned with Turkish geopolitical interests, the fact that it bore similarities to prior attacks launched from Turkish infrastructure, and, perhaps most importantly, "information contained in confidential intelligence assessments that they declined to detail."
Reuters identified at least thirty victims of the campaign, which included email services belonging to the governments of Greece and Cyprus, the Iraqi government’s national security adviser, Albanian state intelligence, and domestic Turkish organizations. Reuters examined public DNS records to identify when the websites were redirected to attacker-controlled servers, and found that much of the hijacked traffic was intended for "login portals for email services, cloud storage servers and online networks." Reuters reporter Chris Bing stated on Twitter that his sources indicated that the hackers were in a position "to intercept all Internet traffic going to several countries in the Middle East."
Bing also confirmed that these hackers were behind the campaign tracked by Cisco Talos as "Sea Turtle." Researchers at Talos believe the operation has been ongoing since January 2017, and they noted in April 2019 that "the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward."
Unleash the Power of a Threat Aware Network with Juniper Connected Security
Juniper Connected Security allows your organization to enable a Threat Aware Network, where the network infrastructure itself plays a role in information security, provides deep network visibility, and enforcement on all points of connection throughout the network. Come see us at RSA, Booth #6161, North Hall to discuss how to leash the power of your Threat Aware Network with Juniper Connected Security.
United Nations offices breached in July.
Documents leaked to The New Humanitarian (TNH) revealed that three United Nations agencies were hacked last year through the exploitation of a Microsoft SharePoint vulnerability (CVE-2019-0604). The attack began in July and was detected in August, at which point a confidential memo regarding the incident was circulated internally. TNH says at least forty servers were compromised: thirty-three at the UN office in Geneva, four at the UN Office at Vienna, and three at the UN Office of the High Commissioner for Human Rights (also in Geneva).
The Associated Press says UN officials described the hack as "sophisticated," and they suspect it may have been the work of a state-backed hackers. What the campaign actually obtained is publicly unknown, but TNH says the report it read "implies that internal documents, databases, emails, commercial information, and personal data may have been available to the intruders."
Most UN staff members apparently weren't informed of the breach. Ian Richards, president of the Staff Council at the United Nations, told the Associated Press that "All we received was an email (on Sept. 26) informing us about infrastructure maintenance work."
The UN has diplomatic immunity from breach disclosure laws, but TNH calls the organization's response to the breach a "cover-up." UN spokesperson Stéphane Dujarric told the publication that, "As the exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach."
Cybersecurity moves fast. Get everything you need to keep up at RSAC 2020.
How do busy cybersecurity professionals stay on top of basic frameworks and emerging trends? By attending the one event that connects you to top industry leaders and a global community that is dedicated to making the world a safer place. Join RSAC 2020 February 24-28 for access to expert-led track sessions, inspiring keynotes, in-depth trainings, innovation in action, career-enhancing networking opportunities and so much more. Register today!
Ryuk operators are targeting the oil and gas industry.
ThreatGEN CEO Clint Bodungen revealed last week that at least five oil and gas organizations recently suffered Ryuk ransomware attacks, Dark Reading reports. Bodungen believes all of these attacks are part of the same campaign, and Energywire quotes him as saying he's "99% certain that it was a campaign specifically targeting oil and gas firms." He suspects the facility described in a Coast Guard alert in December was a victim of this campaign, as was Mexico's state-owned oil company Pemex, which reported a Ryuk infestation in November. Bodungen says the two attacks his company responded to were restricted to the organizations' IT networks and only indirectly impacted industrial operations, although he told POLITICO that "If they had the intent of causing damage rather than seeking ransom, they were already in the system where if they wanted to they could’ve taken full control."
Snake ransomware targets industrial processes.
Israeli security firm Otorio says that a strain of ransomware called "Snake" is also interested in industrial sites, according to Bloomberg. Otorio believes the malware is both linked to Iran and probably implicated in the recent attack on Bahrain Petroleum Company. Snake targets many types of files, but it's notably interested in process controls. Otorio stated that "Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related processes including analytics, configuration, and control."
While many of the control systems Snake has been observed to go after are GE products, GE points out that the malware isn’t exclusively or even distinctly interested in GE systems, and it's not exploiting a vulnerability in GE's products.
Assuming the threat actor behind Snake is acting in Iran's interests, Otorio's CEO Danny Bren believes the attackers' motive in the is economic warfare, saying that "The target was picked carefully because they want to change oil prices....The world is putting a lot of financial tension on Iran and they are reacting with the same tool."
Cyber influence campaigns have plagued countries across the globe in the past few years, with foreign policy objectives, economic goals, and public opinion caught in the crossfire. LookingGlass researchers have tracked over 2000 People’s Republic of China-related influence operators on Twitter to better understand the current landscape. In our next webinar, Tom Creedon will explore these findings to gain an understanding of operator account patterns and targets. Save your seat for February 6 at 1pm ET.
Wawa customers' payment card data up for sale.
KrebsOnSecurity reports that payment card data stolen from Wawa customers went up for sale on Monday on the online fraud shop "Joker's Stash." Researchers at Gemini Advisory discovered that Joker's Stash has put up four sets of data containing a total of just under 100,000 records, but it claims to have more than thirty million records forthcoming. (Krebs points out that criminals typically release stolen data gradually to avoid flooding the market). It's not clear if all thirty million records are from the Wawa breach, but the Gemini researchers determined that the data in the first batch was connected to Wawa's locations on the East Coast, the two states most affected being Florida and Pennsylvania.
Gemini notes that "major breaches of this type often have low demand in the dark web....However, JokerStash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards."
Wawa stated in response to the news that "We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," and they stress that they "remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved."
The Winnti Group is interested in Hong Kong universities.
ESET describes a campaign launched by the Chinese-associated Winnti Group against at least two (probably five) universities in Hong Kong. Winnti is using its eponymous Trojan to drop the ShadowPad backdoor on computers at these schools. The names of the universities were hardcoded into the malware samples used in the campaign, so the researchers conclude that the attacks are highly targeted.
Winnti's goal in this case seems be intelligence gathering concerning the Hong Kong protests. The universities have been prominent in the protests over the now-withdrawn extradition law proposed proposed in February 2019, so the security services have an obvious interest in keeping a close eye on them.
CyberWire Pro is an independent news service you can depend on to stay informed, and save time. This unique offer will include access to exclusive briefings, podcasts, and much more! Learn more at thecyberwire.com/pro.
Zoom introduced mitigations for a security flaw that could allow anyone to join active meetings uninvited if they knew the Zoom Meeting ID, as long as the meeting's organizer hadn't implemented a password or a waiting room for approval. Researchers at Check Point tipped off Zoom in July 2019 after they discovered how easy it was to brute-force valid Meeting IDs. Zoom will now enable passwords by default, and it's added measures that will impede attempts to brute-force Meeting IDs.
Crime and punishment.
Dallas County, Iowa, has dropped all charges against two Coalfire employees who were arrested while conducting a physical penetration test against Dallas County Courthouse, KCCI reports. In a statement, Coalfire said that "Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges. Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the Judicial Branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing. It is the hope of Dallas County and Coalfire that the Judicial Branch will work with them so that any issues carrying out such vital testing can be avoided in the future."
Reuters reports that Israeli spyware company NSO Group has been the subject of an FBI investigation since at least 2017. The investigation appears to revolve around the possible use of NSO's software in hacks against US citizens and companies, and NSO's role in these alleged hacks. Specifically, Reuters says part of the inquiry is "aimed at understanding NSO's business operations and the technical assistance it offers customers," indicating that providing such assistance in hacks against US targets could constitute a violation of the Computer Fraud and Abuse Act or the Wiretap Act. NSO maintains that its technology can't be used against US phone numbers, and stated that it "[has] not been contacted by any U.S. law enforcement at all about any such matters."
Interpol, with substantial support from Group-IB, conducted Operation Night Fury against the criminal gang that operates the GetBilling sniffer and arrested three individuals in Indonesia. Indonesian law enforcement has charged the individuals with the theft of electronic data. Group-IB says the gang has "managed to infect nearly 200 websites in Indonesia, Australia, Europe, the United States, South America, and some other countries" since 2018. According to Interpol, police took down two command-and-control servers in Singapore, and "Investigations in other ASEAN countries are ongoing, with INTERPOL continuing to support police in locating C2 servers and infected websites and identifying the cybercriminals involved."
Courts and torts.
Facebook has reached a preliminary $550 million settlement in a class-action lawsuit in the state of Illinois, in which the plaintiffs argued that the social network violated the Illinois Biometric Information Privacy Act through its use of facial recognition technology, the Verge reports. The Chicago Tribune says the settlement must now be approved by a judge in San Francisco, where the case was moved, and the final payout will be based on how many Illinois Facebook users file claims. One of the attorneys in the case told the Tribune that the number of claimants is estimated to be in the range of five to six million.
The US Federal Communications Commission told Congress on Friday that "one or more wireless carriers apparently violated federal law" by selling customers' real-time location data, TechCrunch reports. It's not yet clear which companies were implicated or how they violated the law, but TechCrunch notes that all the major carriers are potential suspects.
Policies, procurements, and agency equities.
The UK on Tuesday decided to allow Huawei's equipment into nonsensitive parts of the country's 5G network, NPR reports. According to Computing, Britain's Department for Digital, Culture, Media and Sport (DCMS) stated that "high risk vendors [are] to be excluded from sensitive ‘core' parts of 5G and gigabit-capable networks." Additionally, these vendors will be only be permitted to supply up to thirty-five percent of the equipment used in nonsensitive parts of the network. CNBC summarizes the US Government's disappointment over the UK's decision, but Reuters quotes US Secretary of State Mike Pompeo as saying Thursday that he was "very confident that our two nations will find a way to work together to resolve this difference."
On Wednesday the European Union (which since then has dropped one member with Friday's Brexit) advocated for a similar approach to 5G for its twenty-seven member states, SC Magazine notes. EU countries will assess the risks associated with 5G providers and decide whether to ban or restrict certain vendors from their networks. Italy, for its part, doesn't plan to ban Huawei from participating in its 5G network, according to the New York Times.
Russia has blocked Switzerland-based ProtonMail and Netherlands-based StartMail, claiming that the encrypted email services had been used to relay thousands of false bomb threats, Computing reports. Russia's data protection authority Roskomnadzor says ProtonMail refused to hand over the identities of the people behind the threats, but ProtonMail says it was never asked to do so. Likewise, StartMail stated that "If the Russian government brings a criminal matter (such as fake bomb threats) with proper evidence to the Dutch Authorities for Legal Assistance and/or to StartMail’s internal abuse team, StartMail will investigate and take action against the accounts in question if necessary. However, the Russian government has not contacted us on this matter."
Fortunes of commerce.
On Monday, Motherboard and PCMag reported that antivirus company Avast was selling plentiful amounts of anonymized user data to major companies and advertisers through its Jumpshot subsidiary. While the data were anonymized, the scope of data collected was extensive enough that some users could most likely be identified. Avast's CEO Ondrej Vlcek announced on Thursday that he and Avast's board of directors "have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect." Vlcek stated that in the time since he took the helm of the company in June 2019, he has "[come] to the conclusion that the data collection business is not in line with our privacy priorities as a company in 2020 and beyond."
San Francisco-based identity verification startup Persona has raised $17.5 million in a Series A round. The company's press release names Coatue and First Round Capital as two of the investment firms that participated in the round.
India-based IT consulting company Infosys has sold its stake in Danish artificial intelligence startup UNSILO for $800,000 (about ₹5.7 crore), according to Livemint. Infosys had invested around ₹14.5 crore in the startup in 2016.
The Baltimore Business Journal reports that Gula Tech Adventures is hosting a cyber pitch competition, "CyberQuest 2020," on April 21st, 2020, in Columbia, Maryland. The winner will receive a $150,000 investment.
Today's issue includes events affecting Albania, Australia, China, Cyprus, Denmark, European Union, Greece, India, Indonesia, Iraq, Israel, Italy, Mexico, Netherlands, Russia, Singapore, Switzerland, Turkey, United Kingdom, United Nations, United States.
ON THE PODCAST
Research Saturday is up. In this week's episode, "Tracking one of China's hidden hacking groups," we speak with researchers at Fox-IT, who have been tracking the activities of a suspected Chinese threat actor that's targeting managed service providers across many industries. Maarten van Dantzig is Lead Intelligence Analyst at Fox-IT, and he joins us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.