MVISION Insights: Move Beyond Intelligence to Insights that Empower You to Change Your Environment.
Harnessing the power of one billion threat sensors worldwide, McAfee designs security fueled by Insights. MVISION Insights enables you to move beyond intelligence and empowers you to change your environment. Identify with Machine Learning. Defend and correct with Deep Learning. Anticipate with Artificial Intelligence. Move your security out of reactive mode to a proactive posture. McAfee, the device-to-cloud cybersecurity company. Go to McAfee.com/insights to learn more.
The Week that Was.
January 4, 2020.
By the CyberWire staff
US drone strike kills Iran’s Quds Force commander.
Iran promised retaliation after a US airstrike in the outskirts of Baghdad early today killed Iranian Major General Qassem Soleimani, commander of the Islamic Revolutionary Guard's Quds Force. One of Soleimani's principal collaborators, Iraqi militia commander Abu Mahdi al-Muhandis, was also killed. Reuters cites US sources as saying the strike was intended to disrupt further plans by militia aligned with Iran to attack US targets, including the US embassy in Iraq. Iranian operations against US assets and interests have long been asymmetric and are likely to remain so.
General Soleimani was widely regarded as an effective leader who traveled widely and worked intelligently to build Iranian influence in the Arab world. He had overtly supported Iraqi Shi’ite militia, which accounts for his presence in the vicinity of Baghdad. The Atlantic quotes the US Defense Department as stating that "General Soleimani was actively developing plans to attack American diplomats and service members in Iraq and throughout the region." General Soleimani had for some time traveled with impunity throughout the region, as the New York Times notes.
Observers expect an increase in cyber conflict in the wake of Soleimani's death, and the Telegraph outlines the current state of Tehran’s capabilities. CISA Director Christopher Krebs reshared a statement from June on Iranian cybersecurity threats, tweeting that it's "time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS." Tehran claims to have some 100,000 "cyber warriors," and while this number is almost certainly considerably exaggerated, Iran’s capabilities in cyberspace aren’t negligible. Most of their attacks in recent years have been directed against regional rivals, especially the threat group OilRig’s campaigns against Saudi targets, but Iranian groups have hit US targets in the past. The US Justice Department, for example, in February of 2018, secured Federal indictments against nine Iranian nationals associated with the Mabna Institute, an organization that serves as a cyber operations contractor for the Revolutionary Guard Corps. Charges included “conspiracy to commit computer intrusions; conspiracy to commit wire fraud; computer fraud - unauthorized access for private financial gain; wire fraud; [and] aggravated identity theft.” The indictment alleges that their victims “included approximately 144 universities in the United States, 176 foreign universities in 21 countries, five federal and state government agencies in the United States, 36 private companies in the United States, 11 foreign private companies, and two international non-governmental organizations.” This of course represents a small sample of what Tehran’s cyber operators might be capable. Note especially the implications of CISA director Krebs's tweet: industrial control systems would be attractive targets.
APT37 versus Windows (advantage Microsoft).
Microsoft has confirmed that APT37, the North Korean threat group Redmond tracks as "Thallium," has been aggressively pursuing Windows users, and that Microsoft has seized fifty domains Thallium used in its espionage campaigns. Microsoft identified a network of domains, websites, and computers that were used by Thallium to "to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information."
Most of Thallium's targets were located in the US, Japan, and South Korea, and included "government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues." The threat group uses spearphishing to compromise accounts and to distribute malware. Once they've compromised an email account, the attackers set up mail forwarding rules so they'll keep receiving victims' inbound email even after they've lost access to the account. Microsoft recommends that users check their email forwarding rules for any suspicious activity.
Building in security? Easier said than done? (Not any more.)
Everyone says that we need to build security in, but when it comes to app development, security seems always to be at war with speed. Besides, app developers are always more concerned with function. You want them to care about functionality, so help them with security. It’s critical, and Code Dx can help you help them. Code Dx automates the tough parts of AppSec so your developers can use their mad skilz where they really pay off. Help them help you.
Cloud Hopper was worse than had been generally believed.
The Wall Street Journal on Monday published its investigation into the Cloud Hopper cyberespionage campaign that Reuters broke in December 2018. The US Justice Department at that time indicted two Chinese nationals (both of whom remain at large) and alleged that the duo had been working for China's Ministry of State Security's APT10. It now appears, according to the Journal, that the espionage was far more widespread than originally reported, extending to many more companies than the fourteen alluded to in the indictment. The Journal found that the attacks affected "at least a dozen cloud providers," which granted APT10 "access to a vast constellation of clients."
The known victims back when Reuters broke the story included IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corp. HPE, and DXC Technology. The US Justice Department, in its indictment, alluded to fourteen other companies that allegedly fell to the ministrations of Mssrs. Zhu Hua and Zhang Shilong. The two gentlemen are believed to have been employed by the Huaying Haitai Science and Technology Development Company, which itself served as a cyber operations contractor to the Chinese Ministry of State Security's Tianjin State Security Bureau.
APT10 seems to have been particularly interested in compromising managed service providers. This is entirely sensible as a target selection strategy, given the extent to which enterprises have continued to increase their reliance on managed service providers. Anne Neuberger, who leads the National Security Agency’s Cybersecurity Directorate, is quoted by the Journal as offering a Willie Suttonesque motive for the targeting. Why rob banks? That’s where the money is. The Chinese operators' take appears to have been a mix of industrial and traditional espionage collection. Apart from whatever trade secrets may have been culled from the affected companies, the US Government now says, according to the Journal, that some one-hundred-thousand US Navy personnel records were also exposed.
Cybersecurity moves fast. Get everything you need to keep up at RSAC 2020.
How do busy cybersecurity professionals stay on top of basic frameworks and emerging trends? By attending the one event that connects you to top industry leaders and a global community that is dedicated to making the world a safer place. Join RSAC 2020 February 24-28 for access to expert-led track sessions, inspiring keynotes, in-depth trainings, innovation in action, career-enhancing networking opportunities and so much more. Register today!
US Coast Guard warns of Ryuk infestation in a port.
According to ZDNet, a recent US Coast Guard Maritime Safety Information Bulletin addressed a Ryuk ransomware infection at a port facility. The facility was unnamed in the Bulletin, but attack was sufficiently troublesome that other ports should take notice.
"A recent incident involving a ransomware intrusion at a Maritime Transportation Security Act (MTSA) regulated facility. Forensic analysis is currently ongoing but the virus, identified as 'Ryuk' ransomware, may have entered the network of the MTSA facility via an email phishing campaign. Once the embedded malicious link in the email was clicked by an employee,” the Bulletin says, “the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files. The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems. These combined effects required the company to shut down the primary operations of the facility for over 30 hours while a cyber-incident response was conducted."
Attacks on physical security and process control monitoring systems present a different level of risk when compared to the more familiar ransomware infections that have afflicted business systems. And in this case the disruption to business systems would have been costly enough. The Bulletin doesn't mention demurrage costs, but it seems likely they would have been substantial.
Register Now for the Information Security Institute Virtual Information Session
Our graduate students in the Johns Hopkins University Information Security Institute work alongside our faculty who are world-renowned for their research in cryptography, privacy, medical information security, and network and system security. To learn more, register for the one-hour session to get an overview of the Information Security Institute. Panelists will provide a program overview, areas of research, admissions requirements, and discuss life in Baltimore.
Flight disruptions linger as RavnAir recovery proves unexpectedly protracted.
A cyberattack on RavnAir has proven more difficult to resolve than initial reports expected. The Alaska-based airline group said Monday that the attack, which hit December 20th, will now take up to a month to fully remediate. The attack, KUCB reports, specifically targeted RavnAir Alaska's Dash-8 aircraft, forcing the group to "disconnect the Dash 8 maintenance system and its back-up." RavnAir didn't provide details on the cyberattack, but the Register speculates that it may have been ransomware, based on the description and effects of the attack. The group's other two airlines, PenAir and RavnAirConnect, continued operations at a slower pace using backup systems. RavnAir is, of course, working with law enforcement organizations as they investigate.
Wyze confirms a server exposure.
Smart home security device company Wyze exposed data on 2.4 million customers between December 4th and December 26th, ZDNet reports. The exposed data included email addresses, WiFi SSID details, and technical information about the cameras. The database also contained Alexa integration tokens belonging to 24,000 users. Wyze's co-founder Dongsheng Song said in a statement that the database was secure when it was initially set up, but "a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed."
The database was discovered and publicly disclosed by Texas-based consulting firm Twelve Security. The firm didn't give Wyze notice before going public with its findings, alleging that the Seattle-based company was sending the data to the Alibaba Cloud in China either through "intentional espionage or gross negligence." (Wyze denies this claim). The breach was confirmed by IPVM and later by Wyze itself, but Ars Technica notes that Twelve Security is a "mysterious" and "possibly fake" company.
Want to be among the first to know when the new CyberWire Pro launches?
CyberWire Pro is an independent news service you can depend on to stay informed, and save time. This unique offer includes valuable content such as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. Sign up to be one of the first in the know about the CyberWire Pro release at thecyberwire.com/pro.
Travelex goes manual as it recovers from a malware infestation.
Travelex, a major London-based international currency exchange, is still working to restore online services after finding what it called a “software virus” in its systems on New Year’s Eve. The exchange is still able to conduct in-person transactions manually, and it has reassured customers that no personal data were compromised.
Google disabled Xiaomi devices' integration with Nest Hub and Assistant following reports that Xiaomi camera owners were receiving still images from other users' camera feeds. According to Engadget, Xiaomi says it's fixed the issue, which was due to a misfiring cache update on December 26th, but some work evidently remains to be done: the company has "also suspended this service until the root cause has been completely solved."
Crime and punishment.
The Wall Street Journal reports that law enforcement officials in an unnamed Western European country lost access to the phone of a terrorist suspect after WhatsApp warned 1,400 of its users that their phones had been hacked by NSO Group's Pegasus spyware.
Courts and torts.
Reuters reports that Brazil’s Ministry of Justice has fined Facebook R$6.6 million ($1.6 million) for improperly sharing the data of 443,000 Facebook users with the developers of the app "thisisyourdigitallife."
Turkey's Constitutional Court ruled that the Turkish government’s two-year ban on Wikipedia amounted to a violation of freedom of expression, according to the Associated Press.
Wawa is facing at least six lawsuits seeking class action status over the company's months-long data breach that exposed customers' payment information, the Philadelphia Inquirer reports.
Canadian laboratory services provider LifeLabs has been hit with two class action lawsuits following an incident in which hackers stole data belonging to up to 15 million customers, Insurance Business Canada says. One of the lawsuits is seeking more than $1.1 billion in compensation.
Policies, procurements, and agency equities.
The California Consumer Privacy Act (CCPA) is now in effect, and the Los Angeles Times reports the expected uncertainty surrounding a regulatory regime that will touch businesses in ways that have led some observers to compare CCPA to an American GDPR.
The US General Services Administration has announced that its procurement schedules, to be refreshed on January 15th of this year, will include bans on doing business with companies whose offerings include “substantial or essential” components from specified Chinese companies, notably Huawei and ZTE. FedScoop points out that this will affect companies whose supply chains are too enmeshed with those of the proscribed companies.
India, for its part, will subject equipment proposed for 5G networks to security trials, a development the Economic Times says has been welcomed by Huawei.
Taiwan’s government has adopted a rumor-control program that appears to be enjoying some success against Chinese disinformation campaigns mounted against the island republic’s elections, the Wall Street Journal reports. Taipei’s policy has combined a close relationship with social networks to ensure swift takedown of coordinated inauthenticity with very active outreach to push back against fake news. When they find disinformation, they quickly debunk it in social media, with the debunking taking the form of an easily understood and transmitted meme. The program may hold some lessons for other governments concerned about hostile information operations during election seasons, but it’s only fair to note that Taipei’s program has prompted domestic controversy. The opposition Kuomintang sees the program as designed to benefit the ruling Democratic Progressives, who oppose the Kuomintang's policy of favoring closer relations with China.
Sky News and other sources report that Ciaran Martin, first director of the UK's National Cyber Security Centre, will step down this summer.
The Washington Post reports that US Cyber Command is exploring ways to use information warfare against senior Russian leadership if Russia attempts to interfere in the 2020 US elections.
France's Constitutional Court ruled that French tax authorities can inspect people's social media profiles for signs of undeclared income, Reuters notes.
A Bureau of Land Management employee has retired after an investigation by the Office of Inspector General found that he had used his work computer to view saucy adult artistic productions, Nextgov reports.
Fortunes of commerce.
Huawei, which had a good 2019 despite the security controversies it encountered, reaching according to the Wall Street Journal revenue of $122 billion over the year, says it expects 2020 to be "difficult." But the company's CEO has put a brave (and even a poetic) face on the near future: "If not for the bone-deep bite of winter, where would we get the heady scent of plums?"
Google's former global head of international relations, Ross Lajeunesse, whose job in Mountain View was to devise policies that would implement the company's publicly avowed commitment to privacy and freedom of expression, says Google pushed him out for doing just that. The Washington Post reports that Google trimmed its don't-be-evil sails in response to Chinese pressure.
The US National Security Agency faces the same headwinds in the labor market as everyone else, and Government rules make it difficult for them to compete on salary. The Agency expects to see the Centers of Academic Excellence it's designated as central to its ability to attract cybersecurity talent, Federal Times reports. It's worth noting that many of those Centers are found in community colleges.
Mergers and acquisitions.
VMware on Monday announced the completion of its $2.7 billion acquisition of San Francisco-based cloud hosting provider Pivotal, TechCrunch reports.
San Jose-based Broadcom acquired New York-based cyber risk analytics provider Bay Dynamics on December 19th, the Silicon Valley Business Journal reports. Neither company has commented on the acquisition.
ARM and Gemalto are trying to sell their device and application security subsidiary Trustonic, Electronics Weekly notes.
Today's issue includes events affecting Brazil, Canada, China, India, Iran, Iraq, Japan, Democratic People's Republic of Korea, Republic of Korea, Russia, Turkey, United Kingdom, United States.
Space news worthy of attention.
If you're interested in space and communications (including technology, policy, business, and operations), take a look at Cosmic AES Signals & Space. Produced in partnership with the CyberWire, Signals & Space offers a monthly overview of news in this sector.
ON THE PODCAST
Research Saturday is up. In this episode, Jen Miller-Osborn from Palo Alto Networks on a Jira vulnerability that’s leaking data in the public cloud. The vulnerability, a server-side request forgery (SSRF) is similar to the issue that led to the Capital One data breach in July 2019. Jen Miller-Obsborn shares the results of Palo Alto's research.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.