MVISION Insights: Move Beyond Intelligence to Insights that Empower You to Change Your Environment.
Harnessing the power of one billion threat sensors worldwide, McAfee designs security fueled by Insights. MVISION Insights enables you to move beyond intelligence and empowers you to change your environment. Identify with Machine Learning. Defend and correct with Deep Learning. Anticipate with Artificial Intelligence. Move your security out of reactive mode to a proactive posture. McAfee, the device-to-cloud cybersecurity company. Go to McAfee.com/insights to learn more.
The Week that Was.
February 8, 2020.
By the CyberWire staff
Coding error causes Iowa caucus delays.
The Iowa Democratic Party caucus spiraled into chaos on Monday after precincts encountered difficulties with an app designed to report caucus results to the party's headquarters, according to the San Diego Union-Tribune. Very few observers suspect any kind of cyberattack, since there's ample evidence that the app in question was poorly designed and hastily deployed without adequate testing. The incident did spawn a number of apparently homegrown conspiracy theories and disinformation that proliferated across social media, however.
The Iowa Democratic Party was slow to release partial results, but as of Friday ninety-nine percent of the vote had been released. The New York Times found that "more than 100 precincts reported results that were internally inconsistent, that were missing data or that were not possible under the complex rules of the Iowa caucuses." The Times doesn't believe these errors were intentional, but the race is close enough that any discrepancies could be significant. Democratic National Committee Chair Tom Perez tweeted that the Iowa Democratic Party should "immediately begin a recanvass," but later said only precincts with inconsistencies should do so, The Hill reports. The Iowa Democratic Party only accepts requests for recanvassing from candidates themselves, and it's extended the deadline for such requests until Monday, the Washington Post says.
Motherboard obtained a copy of the app that initially caused the problems, which was developed by Shadow Inc. Android app developer Kasra Rahjerdi told Motherboard that the app appeared to be a "very very off the shelf skeleton project plus add your own code kind of thing," adding that it was "clearly done by someone following a tutorial." The app's development process was rushed, as the Washington Post says it was developed over the course of just two months. Shadow couldn't get the app finished in time to get it approved for Apple's store, so it was distributed to iOS users via Apple's beta testing service TestFlight. Android users had to use an equivalent service called TestFairy to install the app on their phones.
Shadow's CEO Gerard Niemira told Motherboard that the app was intentionally simple, since "it’s basically a calculator." Niemira said one of the primary issues had to do with a data formatting problem when the results were transferred to a verification system used by the Iowa Democratic Party.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) says it offered to test Shadow’s app, but the Iowa party turned down the offer. (The Washington post notes that Iowa Democratic Party chair Troy Price says he wasn't aware of CISA's offer.)
While the Iowa caucuses don't resemble the voting process in other states, NPR offers some lessons to take away from the matter. The Verge believes the incident demonstrates why elections should be kept "as analog as possible."
The Des Moines Register reports that some in the Iowa party blame a last minute security patch the DNC requested for IowaReportingApp's bugs. John McCormally, a former member of the state party’s Central Committee and this year a Polk County precinct chair, gave the Register a copy of a communication he received Saturday evening that directed an eleventh-hour security upgrade for the IowaReportingApp. Neither the state party nor the DNC would comment.
Executives are the backdoor into your organization. Who’s patching that?
Every day, companies are under cyberattack and the personal lives of executives are a weak spot. For too long corporate teams have been unable to protect the executives in their personal lives due to privacy laws/implications and SEC impacts. BlackCloak provides a Concierge Cybersecurity™ solution for these evolving threats and offers a customized cloak of protection to protect corporate executives in their personal lives. Enlist BlackCloak for your executive cyber protection.
State voter registration site hit by DDoS attack.
BleepingComputer reports that the FBI on Tuesday issued a Private Industry Notification that it’s received reports that a state-level voter registration and information site was hit with an attempted distributed denial-of-service attack. The Bureau didn’t say which state’s site was affected, but it stated that the website "received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack." That is, the system was flooded with a large number of DNS requests for non-existent subdomains. Fortunately, rate-limiting on the targeted DNS servers prevented the attack from succeeding.
Ransomware begins targeting industrial control systems.
Dragos released a report on the EKANS ransomware discovered in December 2019. EKANS is notable among ransomware strains for its ability to stop certain processes associated with industrial control systems. EKANS was apparently preceded by a new version of the MegaCortex ransomware released in mid-2019, which targeted more than a thousand IT-related processes along with some ICS-specific processes. EKANS targets just sixty-four processes, the majority of which are related to ICS products. All of these ICS-related processes were present in MegaCortex's list of targets, suggesting that EKANS's developers pulled their list from MegaCortex.
Dragos stresses that EKANS and the new version of MegaCortex represent the first instances of ransomware specifically targeting ICS processes. Unlike some of the more sophisticated, state-sponsored strains of ICS malware, EKANS can't actually manipulate ICS operations. It can, however, cause an undesirable loss of visibility into industrial environments. Dragos is more concerned about the trend that EKANS signifies than they are about its ability to disrupt operations, stating that, despite its lack of advanced functionality, "the specificity of processes listed in a static 'kill list' shows a level of intentionality previously absent from ransomware targeting the industrial space."
It's worth mentioning that researchers at OTORIO also analyzed EKANS (which they refer to as "SNAKE") and concluded that the malware was probably linked to Iranian state-backed threat actors, but Dragos's researchers push back against OTORIO's conclusion, stating that any connection to Iran is "incredibly tenuous based upon available evidence." Dragos believes the malware is more likely the work of financially motivated criminal actors. It's not surprising that ransomware gangs would begin targeting industrial control systems; as SentinelOne researcher Vitali Kremez told WIRED, "[t]hese industrial control system machines are some of the most high-value targets. There's lots of urgency, and data availability is at the core of the mission. So there's a lot of incentive to pay the attackers."
Cybersecurity moves fast. Get everything you need to keep up at RSAC 2020.
How do busy cybersecurity professionals stay on top of basic frameworks and emerging trends? By attending the one event that connects you to top industry leaders and a global community that is dedicated to making the world a safer place. Join RSAC 2020 February 24-28 for access to expert-led track sessions, inspiring keynotes, in-depth trainings, innovation in action, career-enhancing networking opportunities and so much more. Register today!
Charming Kitten suspected in spearphishing attacks.
Researchers at Certfa Lab describe a spearphishing campaign that's targeting journalists and activists with fake interview requests in order to gain access to their email accounts. The researchers believe the Iran-associated group Charming Kitten (APT35) is behind the campaign based on similar TTPs and infrastructure overlap with previous campaigns.
In one case, the attackers posed as Iranian-American New York Times journalist Farnaz Fassihi and sent a Persian-language email to the target, who the sender identifies as a successful, non-local Iranian. The initial email contains nothing malicious, although every hyperlink in the message uses a link-shortening service, allowing the attackers to collect some information about the recipient's device if they click on one of these links. The email body invites the recipient to participate in an interview with the Wall Street Journal, where Fassihi worked for seventeen years. If the recipient accepts, the attackers send them a link to a page hosted on Google Sites, which in turn has a link to supposedly download the interview questions. Clicking this link will send the victim to a spoofed email login page to steal their credentials, followed by a page designed to intercept their two-factor authentication code.
Certfa also tied this phishing campaign to a new strain of malware that appears to be under development.
Malaysia's CERT warns of cyberespionage.
CyberScoop reports that APT40, a threat group linked to China, is suspected to be behind a cyberespionage operation targeting Malaysian government officials. The Malaysian Computer Emergency Response Team (MyCERT) issued a statement saying the operation involves "short and targeted campaigns" using compromised or spoofed email accounts to send spearphishing emails containing Microsoft documents with malicious macros. MyCERT says the attackers "tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data."
Georgetown University Part-Time Master's in Cybersecurity Risk Management
Looking to advance your cybersecurity career? Check out Georgetown University's graduate program in Cybersecurity Risk Management. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Learn more.
More Japanese defense contractors disclose breaches.
Following Mitsubishi Electric's disclosure last month of a security breach by suspected Chinese threat actors, three more Japanese defense contractors have disclosed similar incidents. IT and electronics company NEC Corporation said last Friday that it had suffered a series of attacks beginning in December 2016 and continuing through 2018, the Japan Times reports. The attackers gained access to 27,445 files, including technical proposals for submarine sonar intended for the Japanese navy.
Geospatial services provider Pasco Corporation and steel manufacturing giant Kobe Steel both disclosed breaches this past Thursday, BleepingComputer reports. Pasco was hit in May 2018, and the company says its investigation so far hasn't turned up any evidence of data theft. Kobe Steel said 250 files may have been stolen, some of which included information on Japan's Defense Ministry, the Japan Times notes.
According to BleepingComputer, Japanese Defense Minister Taro Kono stated in a press conference that it's not clear if any of these attacks are related, but the incidents are now being disclosed because "it is necessary to get the world to know and think about defenses."
Twitter API exploited to match accounts to phone numbers.
Twitter disclosed that it had suspended "a large network of fake accounts" abusing Twitter's API to match usernames to phone numbers. Security researcher Ibrahim Balic told TechCrunch in December that he found he could use Twitter's contact upload feature to match millions of Twitter users to their phone numbers by generating and uploading random numbers. Twitter believes some of the activity it observed may be state-sponsored, and it "immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries."
CyberWire Pro is an independent news service you can depend on to stay informed, and save time. This unique offer will include access to exclusive briefings, podcasts, and much more! Learn more at thecyberwire.com/pro.
WhatsApp has released a patch for a vulnerability discovered by PerimeterX in WhatsApp's desktop platform that could enable cross-site scripting. Facebook explained that "[e]xploiting the vulnerability requires the victim to click a link preview from a specially crafted text message."
Crime and punishment.
Alleged Vault 7 leaker Joshua Schulte has gone on trial in New York, NPR reports. Mr. Schulte has pleaded not guilty to eleven criminal charges, seven of which relate to leaking the CIA's data to Wikileaks, according to CyberScoop.
Quartz reports that a Raytheon Missile Systems engineer has been arrested by the FBI for taking a company-issued laptop containing classified information with him on a trip to China. The engineer possessed information pertaining to several missile systems used by the US and its allies, and he's being charged with violating the International Traffic in Arms Regulations (ITAR).
CyberScoop says the US Department of Justice is preparing a new round of indictments against Chinese nationals for conducting cyberespionage against organizations in the US.
Three Australians have been arrested for allegedly stealing AU$11 million (US$7.41 million) by hacking into companies and modifying payroll information, according to the Australian Broadcasting Corporation.
Reuters reports that a Brazilian judge has at least temporarily delayed accepting charges of cybercrime against US journalist Glenn Greenwald, stating, "I decline, for now, to receive the complaint against Glenn Greenwald, due to the controversy over the extent of the injunction granted by Minister Gilmar Mendes."
Courts and torts.
Naked Security summarizes the industry response to Clearview AI, a company that offers a facial recognition search engine to law enforcement. Twitter, Google, YouTube, LinkedIn, and Venmo have all sent cease-and-desist letters demanding that the company stop scraping images from their platforms, CBS News says. Facebook hasn't sent a formal cease-and-desist, but it said it has "serious concerns" and told Clearview to stop using data from its products while it investigates the company’s practices. Clearview AI's founder and CEO Hoan Ton-That argued on CBS This Morning that the First Amendment gives his company the right to use publicly available information in this manner.
Policies, procurements, and agency equities.
Cooley offers a look at how Brexit will change data protection regulation in the UK. In brief, not much: a transitional agreement with the EU leaves both GDPR and GDPR's EU-US Privacy Shield in place through December 31st, 2020. After that, Cooley predicts, British data protection regulations are still likely to track the GDPR closely.
The District Court of The Hague ruled on Wednesday that the Dutch government's algorithm-based social security fraud prediction system was in violation of Article 8 of the European Convention on Human Rights (ECHR) and must be discontinued immediately, TechCrunch reports. ZDNet explains that the system, known as "SyRI," used machine learning to compile profiles based on individuals who had previously committed benefits fraud. Using these profiles, the system would then identify and flag people who the algorithm thought worthy of further scrutiny, even if those people hadn't previously been suspected of committing a crime. As TechCrunch puts it, "the court found that the SyRI legislation fails a balancing test in Article 8 of the ECHR which requires that any social interest to be weighed against the violation of individuals’ private life, with a fair and reasonable balance being required."
The US Department of Homeland Security's CISA released its Elections Cyber Tabletop Exercise Package to help local election officials prepare for real cyberattacks, StateScoop notes.
Fortunes of commerce.
Forbes reports that former Autonomy CFO Sushovan Hussain—who was convicted in California last year for cooking the books during HP's disastrous acquisition of Autonomy—maintains a "lasting and sometimes troubling influence" on the UK-based cybersecurity company Darktrace. Hussain is a co-founder of Invoke Capital, where he's still employed, and he indirectly holds stock in Darktrace through Invoke Capital's ICP Darktrace Holdings, which owns the largest stake in Darktrace.
Private equity firm Advent International, based in Massachusetts, is acquiring San Jose, California-based device visibility company Forescout for $1.9 billion. Crosspoint Capital Partners joins Advent as a co-investor and adviser in the deal.
The New York City Mayor’s Office and the New York City Economic Development Corporation (NYCEDC) have launched a $100 million partnership with Israeli startup incubator firm Jerusalem Venture Partners as part of NYCEDC's Cyber NYC program, the Times of Israel reports.
Today's issue includes events affecting Canada, China, Germany, Iran, Israel, Japan, Malaysia, Netherlands, Russia, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. In this week's episode, "The Chameleon attacks online social networks," we speak with researchers at Ben-Gurion University of the Negev, who recently published a paper on a way to manipulate social media posts. Rami Puzis is an assistant professor at Ben-Gurion University, and he joins us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.