MVISION Insights: Move Beyond Intelligence to Insights that Empower You to Change Your Environment.
Harnessing the power of one billion threat sensors worldwide, McAfee designs security fueled by Insights. MVISION Insights enables you to move beyond intelligence and empowers you to change your environment. Identify with Machine Learning. Defend and correct with Deep Learning. Anticipate with Artificial Intelligence. Move your security out of reactive mode to a proactive posture. McAfee, the device-to-cloud cybersecurity company. Go to McAfee.com/insights to learn more.
The Week that Was.
February 15, 2020.
By the CyberWire staff
Nevada prepares for its upcoming caucuses.
The Nevada Democratic Party, which has decided to forgo the use of an app like the one used in the Iowa caucuses, has said it intends to use iPads, Google Forms, and other "tools" (not apps) to process and tabulate results in its February 22nd caucuses, according to the Washington Post. The Post notes that this still leaves the door open for potential problems and vulnerabilities, although Chad Loder, founder of Habitu8, pointed out that using a well-established resource like Google Forms is still wiser than trying to rush out a custom-made app. Nevada's plans still seem somewhat uncertain, and the DNC is worried it will see a repetition of what happened in Iowa. Yahoo News obtained documents showing that the DNC was "intimately involved" in the development of the app that caused problems in Iowa.
Meanwhile in Iowa, the Sanders and Buttigieg campaigns have both filed for a partial recanvass of the caucus results, the Associated Press reports. Troy Price, the head of the Iowa Democratic party, has resigned, according to NPR. Price said in his resignation letter, "As chair of this party, I am deeply sorry for what happened and bear the responsibility for any failures on behalf of the Iowa Democratic Party."
Dragos Webinar: Industrial Control Systems are Everywhere Hands-On Demonstration
Join the Feb. 18 ICS Range demonstration to see real control systems, learn about ICS adversaries and hear how to protect your networks. Tom VanNorman, Dragos Director of Engineering Services and co-founder of the ICS Village, walks you through this realistic range and shares his inspiration for developing it.
Researchers claim voting app is vulnerable to attacks.
Researchers at MIT released a paper outlining numerous security vulnerabilities in Voatz, a voting app that's been used in West Virginia, Colorado, Oregon, Utah, and Massachusetts, and which is slated for use in the 2020 Presidential election. The researchers say an attacker could, depending on their level of access, "alter, stop, or expose a user’s vote, including a sidechannel attack in which a completely passive network adversary can potentially recover a user’s secret ballot."
Voatz vociferously disputed these claims, stating in a blog post that the researchers had analyzed an old version of the app that hadn't been used in any elections. It also asserted that the attacks laid out in the paper would be blocked by server-side defenses. Voatz went so far as to allege that "the researchers' true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion."
The Verge notes that Voatz's defense didn't assuage the security community's concerns, quoting Johns Hopkins cryptographer Matthew Green as saying, "The device just sends votes to a server. The server might put them on a blockchain, but this doesn’t help if either device or server is compromised. Voatz needs to explain how they deal with this."
Cybersecurity moves fast. Get everything you need to keep up at RSAC 2020.
How do busy cybersecurity professionals stay on top of basic frameworks and emerging trends? By attending the one event that connects you to top industry leaders and a global community that is dedicated to making the world a safer place. Join RSAC 2020 February 24-28 for access to expert-led track sessions, inspiring keynotes, in-depth trainings, innovation in action, career-enhancing networking opportunities and so much more. Register today!
Iran sustains a large DDoS attack.
NetBlocks on Saturday observed a large Internet shutdown in Iran, which Tehran's Ministry of Information and Communications Technology (ICT) attributed to a distributed denial-of-service attack. The ICT initially refrained from attributing the attack to any specific actor, but by Friday it had laid the blame upon the United States, Tasnim reports. Iran said it was able to repel the attack thanks to its "Digital Fortress" defenses.
Crypto AG was owned by the CIA and BND.
The Washington Post reports that the Swiss encryption company Crypto AG was owned for decades by the US CIA and Germany's Bundesnachrichtendienst (BND). The company was used by the CIA and NSA to gain access to encrypted communications by producing and selling seemingly secure encryption devices to the US's allies and adversaries. The Washington Post and ZDF obtained a classified CIA report which stated that "It was the intelligence coup of the century. Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries." Other countries said to have had knowledge of the deal included the United Kingdom, Israel, Sweden, and Switzerland, according to the Telegraph.
The Register notes that the Crypto AG had been suspected of working for the CIA, but these suspicions hadn't been confirmed until now. It's worth mentioning that the vast majority of the company's employees were unaware that their products were backdoored. Crypto AG was liquidated in 2018, but Switzerland has opened an investigation into the matter.
Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Are you attending RSA Conference 2020 in San Francisco February 24–28? Don't forget to stop by Booth 743 to meet the Recorded Future team in person and pick up a free copy of their new book, "The Threat Intelligence Handbook."
US government releases data on North Korean hacking operations.
CyberScoop reports that US Cyber Command has publicly released details on a hacking campaign run by the North Korean group Hidden Cobra. The FBI and CISA also published Malware Analysis Reports on seven North Korean Trojans, known as Artfulpie, Bistromath, Buffetline, Crowdedflounder, Hoplight, Hotcroissant, and Slickshoes. ZDNet notes that six of these are new, while Hoplight was revealed by the Department of Homeland Security and the FBI in April 2019. Cyber Command said on Twitter that these samples are "currently used for phishing & remote access by #DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions."
China's criminal underground is beginning to thrive.
McAfee says the Chinese cybercriminal underground is following in the footsteps of Russia's underground with the rise of large, organized criminal groups. One of the drivers of this trend is Chinese groups' gradual adoption of deep web criminal networks to conduct business, rather than relying on one-to-one communication through Tencent's QQ instant messaging service. China's criminal groups have also expanded their targeting to include international targets, as opposed to primarily focusing on Chinese businesses.
One interesting aspect of China's underground is the presence of what McAfee calls a "master-apprentice mechanism," in which skilled cybercriminals recruit lower-level skids and train them for a fee. This has resulted in a "greater emphasis on community and discipleship in achieving financial gains" than is typically seen in Russia's criminal underground.
Another notable finding is the many Chinese cybercriminals specialize in data theft, and they sometimes rent out their services to conduct political or economic espionage for criminal customers. As a result, McAfee says it's becoming more difficult to distinguish criminal hacking from state-sponsored activity, since Chinese government hackers have a similar focus on espionage.
CyberWire Pro is an independent news service you can depend on to stay informed, and save time. This unique offer will include access to exclusive briefings, podcasts, and much more! Learn more at thecyberwire.com/pro.
Microsoft released fixes for ninety-nine vulnerabilities on Patch Tuesday, which ZDNet notes is the highest number of flaws Redmond has ever addressed in one go. The fixes included a patch for CVE-2020-0674, a remote code execution flaw in Internet Explorer that Microsoft said was being exploited in the wild.
Adobe has patched forty-two vulnerabilities in Framemaker, Flash Player, Reader and Acrobat, Digital Editions, and Experience Manager, many of which are rated "critical," according to BleepingComputer.
Intel released firmware updates to fix a security vulnerability in its CSME that could lead to "escalation of privilege, denial of service, and information disclosure."
Crime and punishment.
The US Department of Justice on Monday revealed a nine-count indictment of four members of China's People’s Liberation Army (PLA) for hacking US credit bureau Equifax in 2017. As WIRED notes, China had previously been suspected in the hack based on circumstantial evidence, but the Justice Department's indictment provides a detailed look into the hackers' operations. The indictment alleges that Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei exploited an Apache Struts vulnerability to deploy web shells on an Equifax web server. They then obtained employee credentials to access the company's databases, and began executing SQL queries to retrieve data. Several weeks and 9,000 queries later, they'd extracted personally identifiable information on 145 million American citizens. The hackers were able to avoid detection by compressing and compartmentalizing the data into small chunks before exfiltrating it, and by using Equifax's encrypted communication channels to blend in with network traffic.
Slate observes that the Justice Department's indictment characterizes the Equifax breach as an act of economic espionage, even though China's motives in the incident are widely assumed to be those of traditional espionage. Attorney General William Barr stated that "[t]his data has economic value, and these thefts can feed China’s development of artificial intelligence tools as well as the creation of intelligence targeting packages." The Atlantic sees this as more evidence "that the U.S. government is treating personal data more and more as a 'dual use' item with commercial and national-security value alike."
The US Justice Department also hit Huawei and four of its subsidiaries with a RICO indictment, accusing them of racketeering, conspiracy to steal trade secrets, wire fraud, bank fraud, conspiracy to defraud the United States, violating the International Emergency Economic Powers Act (IEEPA), money laundering, and obstructing justice. The indictment says that Huawei encouraged its employees to steal intellectual property from competitors, and includes a long list of instances where such behavior allegedly took place. The Justice Department said this strategy was successful, and that "[a]s a consequence of its campaign to steal this technology and intellectual property, Huawei was able to drastically cut its research and development costs and associated delays, giving the company a significant and unfair competitive advantage." Gizmodo notes that bringing a RICO charge against a large corporation like Huawei appears to be unprecedented.
The owner of Freedom Web Hosting, Eric Eoin Marques, pleaded guilty in a Maryland court to conspiracy to advertise child pornography, HackRead reports. Freedom Web Hosting was an anonymous web hosting service that contained more than 8.5 million child abuse images, nearly two million of which involved victims who were unknown to law enforcement.
A Russian citizen, Anton Bogdanov, pleaded guilty in a Brooklyn Federal court to committing wire fraud conspiracy and computer intrusion as part of a scheme to get fraudulent tax refunds from the US Treasury Department by using other people's information to file tax returns. The US Justice Department states that Bogdanov and his co-conspirators gained access to taxpayers' PII by hacking US tax preparation firms—specifically, by exploiting "a vulnerability in a remote access program used by the tax preparation firms’ employees."
Courts and torts.
Ohio's Attorney General is suing Idea Buyer, a product-launch company based in Dublin, Ohio, for failing to deliver on promised services after the company permanently closed its doors due to a destructive cyberattack, Columbus Business First reports. The company's data, which had been stored in Amazon Web Services, was hacked last year along with its backup. The company's CEO Eric Corl says he didn't realize their business insurance policy had exclusions for hacking until after the act took place. Corl maintains that any claims that the company misled its clients are "false and unsupported by any reasonable interpretation of facts." The Ohio Attorney General disagrees, and is seeking $25,000 in damages for each client.
Policies, procurements, and agency equities.
The US Government Accountability Office (GAO) released a report outlining concerns about IT challenges facing the upcoming 2020 US Census, Federal News Network notes. The report stresses that "[t]he success of these operations, in part, relies on the [Census] Bureau’s preparations, including recruiting and hiring a sufficient workforce; the development and testing of information technology systems; and maintaining public trust to ensure participation by developing community partnerships, combating disinformation, and protecting the privacy of respondent data. The Bureau is actively managing these preparations, but continues to face significant risks that could adversely impact the cost, quality, schedule, and security of the count."
The European Union has removed its moratorium on the use of facial recognition and will allow member states to decide for themselves how to regulate the technology, the Financial Times has learned.
UK Prime Minister Boris Johnson said that after Brexit the country would develop its own data protection policy, but ZDNet doesn't think the new regulation would look substantially different from GDPR.
Reuters reports that Germany appears to be leaning toward a risk management position with respect to Huawei similar to that adopted by the UK. That is, mitigating security risks without closing the door entirely on potentially risky vendors.
The US on Monday released its National Counterintelligence Strategy, which concludes that the US is facing a more complex, diverse, and damaging threat landscape. The document states that "[t]he U.S. Government must pursue a more integrated cyber counterintelligence posture to defend against hybrid attack methods that involve supply chain, cyber, technical means and insider enabled attacks. This will require leveraging innovative technological advancements; recruiting, developing and retaining technical experts in the cyber, counterintelligence and security disciplines; and stronger partnerships among the federal, state and local governments, and the private sector."
Fortunes of commerce.
The Mobile World Congress (MWC), which was slated to commence in Barcelona on February 24th, has been cancelled over concerns about the coronavirus, the Verge reports. The cancellation of such a massive conference led many to wonder if RSA 2020 might suffer a similar fate, but RSA stated on Wednesday that it currently "plans to proceed as scheduled," although it "will continue to follow the guidance of the CDC and the WHO and is in close communication with the City of San Francisco to monitor all new developments pertaining to the Coronavirus."
The Wall Street Journal, citing US national security adviser Robert O'Brien, reports that Huawei retains access to interfaces in its equipment designed for use by law enforcement. These interfaces aren't unique to Huawei's equipment, but telecom equipment manufacturers aren't supposed to be able access the interfaces after they've been installed. Huawei denies the accusations, saying the claims are "part of the U.S. Justice Department’s attempt to irrevocably damage its reputation and its business for reasons related to competition rather than law enforcement." Lawfare notes, however, that a senior Huawei official quoted by the Journal said that accessing data through these interfaces without permission from the network operator "is extremely implausible and would be discovered immediately," thereby implying that such access is technically possible.
A survey by TripWire found that 83% of cybersecurity workers feel more overworked now than they did at the beginning of 2019, with 27% feeling significantly more overworked.
Mergers and acquisitions.
Okdiario reported Thursday that Cisco was preparing an acquisition bid for FireEye, but Barron's cited a source close to Cisco as saying there was "zero truth" to the rumors.
Investments and exits.
London-based human risk intelligence platform provider OutThink received €1.4 million ($1.5 million) in a seed funding round led by Forward Partners, according to EU-Startups.
France is moving forward with its plan to create a cybersecurity campus designed to increase communication and strengthen ties between public and private sector organizations, the Daily Swig reports. The campus is expected to open next year.
Today's issue includes events affecting China, France, Germany, Iran, Israel, Democratic People's Republic of Korea, Russia, Spain, Sweden, Switzerland, United States.
A note to our readers: no publication on Monday.
Monday is Presidents Day, and the CyberWire will be observing the US Federal holiday by taking the day off. We'll be back as usual on Tuesday.
ON THE PODCAST
Research Saturday is up. In this week's episode, "If you can't detect it, you can't steal it," we speak with researchers at Ben-Gurion University of the Negev, who describe a new way to transmit encrypted data at the photonic layer. Dan Sadot is a professor in the ECE department at Ben-Gurion University, and he joins us to share their findings.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.