Executives are the backdoor into your organization. Who’s patching that?
Every day, companies are under cyberattack and the personal lives of executives are a weak spot. For too long corporate teams have been unable to protect the executives in their personal lives due to privacy laws/implications and SEC impacts. BlackCloak provides a Concierge Cybersecurity™ solution for these evolving threats and offers a customized cloak of protection to protect corporate executives in their personal lives. Enlist BlackCloak for your executive cyber protection.
The Week that Was.
January 25, 2020.
By the CyberWire staff
Saudi Arabia suspected in Bezos hack.
The Guardian reported on Tuesday that Amazon founder and Washington Post owner Jeff Bezos had his iPhone X hacked in May of 2018 via a malicious WhatsApp message sent from the personal WhatsApp account of Mohammad bin Salman (MBS), the Crown Prince of Saudi Arabia. The evidence comes from a report by FTI Consulting, which was hired in February 2019 to examine the phone after Bezos's security adviser received a warning that the device may have been targeted by an APT. Motherboard obtained FTI's report, which explained that MBS sent Bezos an unsolicited video attachment and an encrypted downloader over WhatsApp on May 1st, 2018, a little less than a month after Bezos and the Crown Prince exchanged phone numbers. The investigators weren't able to decrypt the downloader, but the report states that "within hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos' phone began, continuing and escalating for months thereafter."
United Nations human rights experts released a statement after examining the FTI Consulting report, concluding that it "suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia. The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals. These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince's involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi." The UN officials called for an "immediate investigation by US and other relevant authorities." Most reporting seems to agree that Bezos was targeted due to his ownership of the Washington Post and the Post's employment of Khashoggi.
The Wall Street Journal cites cybersecurity and forensics specialists who noted that FTI's investigation is missing some important steps and pieces of evidence, the most prominent being the actual malware used to compromise the phone. Many observers suspect NSO Group's Pegasus tool, which has been in the news recently due to reports that the spyware exploited a vulnerability in WhatsApp to compromise targets' phones, but NSO strongly denies involvement in the Bezos hack. In a statement to CNN, the company said "Our technology was not used in this instance. We know this because of how our software works and our technology cannot be used on US phone numbers. Our products are only used to investigate terror and serious crime. Any suggestion that NSO is involved is defamatory and the company will take legal counsel to address this." FTI's report cited NSO's Pegasus tool and Hacking Team’s Galileo as examples of the type of spyware that can perform this type of exfiltration, but it didn't confirm that either was used in this instance.
Unleash the Power of a Threat Aware Network with Juniper Connected Security
Juniper Connected Security allows your organization to enable a Threat Aware Network, where the network infrastructure itself plays a role in information security, provides deep network visibility, and enforcement on all points of connection throughout the network. Come see us at RSA, Booth #6161, North Hall to discuss how to leash the power of your Threat Aware Network with Juniper Connected Security.
Citrix vulnerability exploited by ransomware gang, stolen data dumped online.
The REvil gang launched a crippling ransomware attack against German parts manufacturer Gedia Automotive Group earlier this week, and they began posting stolen data online when the company refused to pay the ransom, according to Computer Weekly. The group claims to have stolen fifty gigabytes of data, which they say includes "blueprints, employees’ and clients’ details." In a statement that's since been deleted, Gedia said it would take weeks or months to fully recover from the attack.
ZDNet reported Friday that the hackers exploited CVE-2019-19781 in Citrix devices to deploy the REvil/Sodinokibi ransomware against Gedia. A researcher at Under the Breach found evidence of such a compromise while examining files the REvil gang had stolen from posted online. ZDNet cites unconfirmed rumors that Maze, another ransomware crew known for stealing and leaking data, has also been making use of the vulnerability.
It's worth noting that data theft preceding a ransomware attack isn't necessarily new. There's a possibility of data exfiltration anytime there are criminals poking around in a network for an extended period of time. The difference now is that attackers are openly flaunting the stolen data, thereby removing any uncertainty that data confidentiality has been compromised. BleepingComputer predicts that lawmakers will soon revise data breach laws to accommodate this trend.
Cybersecurity moves fast. Get everything you need to keep up at RSAC 2020.
How do busy cybersecurity professionals stay on top of basic frameworks and emerging trends? By attending the one event that connects you to top industry leaders and a global community that is dedicated to making the world a safer place. Join RSAC 2020 February 24-28 for access to expert-led track sessions, inspiring keynotes, in-depth trainings, innovation in action, career-enhancing networking opportunities and so much more. Register today!
European energy organization compromised by PupyRAT.
Researchers at Recorded Future spotted a command-and-control server used by PupyRAT, an open-source red teaming tool, communicating with an email server at a European energy organization between late November 2019 and January 5th 2020. Based on the volume and consistency of the C2 traffic, the researchers concluded that the organization had likely been compromised.
The researchers note that PupyRAT has been used in the past by Iranian threat groups APT33 and Cobalt Gypsy (which is related to APT34), and they point to a recent warning from Microsoft that APT33 had dramatically increased its targeting of ICS equipment vendors in the energy sector. However, since PupyRAT is open source, they can't confirm that either of those groups was behind this incident. The researchers also observe that the activity predates the death of Qassem Soleimani, so if Iranian actors are to blame, then it most likely indicates espionage or battlespace preparation rather than a response to escalating tensions.
Regardless of who bears responsibility, the researchers emphasize that "the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe."
Simple, secure identity and access management for your business.
LastPass Identity provides simple control and visibility across every entry point to your business through single sign-on, password management and multi-factor authentication in one unified solution. LastPass Identity provides a holistic view of end user activity to simplify security for IT, all while delivering the passwordless login experience employees want. Start a free LastPass Identity trial today.
Mitsubishi discloses data breach.
Mitsubishi Electric confirmed on Monday that it had experienced a "massive cyberattack," which it detected on June 28th, 2019. The attack was first reported by Nikkei and the Asahi Shimbun, both of whom said the Chinese-linked cyberespionage group "Tick" (also known as "Bronze Butler," and "RedBaldKnight") is thought to be the culprit. According to the Japan Times, Mitsubishi believes the attackers may have stolen data on approximately 8,000 employees, retirees, and job applicants, along with "email exchanges with the Defense Ministry and Nuclear Regulation Authority, as well as documents related to projects with firms including utilities, railways, automakers and other firms." The company doesn't believe any "highly sensitive information on defense, electricity or other infrastructure operations" was compromised, although BleepingComputer notes that the investigation is ongoing.
JhoneRAT targets the Middle East and North Africa.
Cisco Talos describes a new remote access Trojan targeting Arabic-speaking countries in the Middle East and North Africa. The Trojan, which the researchers have named "JhoneRAT," depends on Google Drive, Twitter, Google Forms, and ImgBB for its command-and-control operations and data exfiltration. JhoneRAT receives commands via tweets from an attacker-controlled Twitter account, downloads additional files from Google Drive, sends the output of certain commands to Google Forms, and exfiltrates screenshots by uploading them to ImgBB. The researchers say the Trojan's use of these services provides "a good example of how a highly focused attack that tries to blend its network traffic into the crowd can be highly effective."
Deep-learning firm Blue Hexagon has also been tracking the campaign. In a report published Thursday, Blue Hexagon stated that the attackers "sent infected payloads via a legitimate email marketing provider to targets in the Persian Gulf and the Middle East," explaining that "using a known vendor would likely bypass existing email security tools." The malware is being distributed via spearphishing attachments themed around the death of Qassem Soleimani.
It's not clear who's behind JhoneRAT. Blue Hexagon's researchers note that despite the fact that the spearphishing documents were Iran-themed, they don't believe Iran is involved. Talos says the campaign has been ongoing since November 2019, and is targeting users with keyboard layouts matching Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.
Want to be among the first to know when the new CyberWire Pro launches?
Coming in February 2020, CyberWire Pro is an independent news service you can depend on to stay informed, and save time. This unique offer includes valuable content such as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. Sign up to be one of the first in the know about the CyberWire Pro release at thecyberwire.com/pro.
Citrix has released highly anticipated patches for CVE-2019-19781, a critical directory traversal flaw in Citrix's Application Delivery Controller (ADC) and Gateway products. The Register points out that since attackers have been exploiting the flaw in the wild for weeks, administrators should also ensure they haven't already been hacked. To assist with this, Citrix and FireEye have released an open-source tool that can detect known indicators of compromise. The tool can be run on all affected versions of Citrix ADC and Gateway (versions 10.5, 11.1, 12.0, 12.1, and 13.0), and with Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100.
Internet Explorer contains a zero-day vulnerability that could enable remote code execution, but it probably won't be patched until February 11th, according to TechCrunch. Microsoft told TechCrunch that the vulnerability was being exploited in "limited targeted attacks." US-CERT tweeted an advisory about the flaw, which explained that "by convincing a user to view a specially crafted HTML document (e.g., a web page an email attachment), PDF file, Microsoft Office document, or any other document that supports embedded Internet Explorer scripting engine content, an attacker may be able to execute arbitrary code." The advisory notes that restricting access to jscript.dll can mitigate the vulnerability until a patch is available.
Crime and punishment.
The New York Times reports that Brazilian Federal prosecutors have unsealed charges of "cybercrimes" against Glenn Greenwald, an American journalist who co-founded the Intercept and now resides in Brazil (best known for publishing the Snowden leaks). The charges relate to a series of articles Greenwald published in June of 2019, which exposed leaked phone conversations involving Brazil's Justice Minister Sergio Moro and an anti-corruption task force. Prosecutors have accused Greenwald of playing a "clear role in facilitating the commission of a crime" by advising the individuals who hacked the phones to delete the archived files after they had given them to the Intercept. Greenwald denied committing a crime in an interview with the New Yorker on Wednesday, saying that "when the source first talked to me, he had already obtained all the material that he ended up providing us, making it logically impossible for me to have in any way participated in that act."
La Presse reports that an 18-year-old Canadian, Samy Bensaci, is awaiting trial for his involvement in SIM swapping schemes that resulted in the theft of $50 million worth of cryptocurrency from people in the US and $300,000 from Canadians. Bensaci has been charged with "fraud, unauthorized use of a computer, mischief targeting computer data and identity fraud," and he's been restricted from accessing "any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet." The US Secret Service tipped Canadian police to Bensaci's involvement in the scheme, and he was arrested in British Columbia.
A 22-year-old Georgia man who founded a DDoS mitigation firm has pleaded guilty to hiring DDoS-for-hire services, KrebsOnSecurity reports.
Courts and torts.
The Hill reports that the US Supreme Court has declined to hear a case brought forward by Facebook over whether users can sue Menlo Park for using facial recognition software on their photos without gaining their consent. The class-action lawsuit claims that the company violated Illinois's biometric privacy law by using facial recognition to tag users in photos. According to The Hill, Facebook's petition to the Supreme Court stated that "Although plaintiffs claim that their privacy interests have been violated, they have never alleged — much less shown — that they would have done anything differently, or that their circumstances would have changed in any way, if they had received the kind of notice and consent they alleged that [the Illinois law] requires, rather than the disclosures that Facebook actually provided to them." Illinois's law permits users to sue for up to $5,000 for each privacy violation, so the lawsuit could result in Facebook having to pay out billions of dollars.
Policies, procurements, and agency equities.
Reuters cites anonymous sources as saying that British officials have recommended that Huawei's equipment be permitted into the UK's 5G infrastructure, but restricting it from the core of the network and sensitive government systems. The country's National Security Council will meet next week to decide Huawei's role in the country's 5G network.
India's Central Electricity Regulatory Commission has published a set of draft rules that would require grid operators to implement a number of cybersecurity measures, Bloomberg reports. The measure is probably spurred by the cyberattack that hit the IT systems of India's Kudankulam nuclear plant in September 2019.
The German government will pay Microsoft at least €800,000 in 2020 for extended security updates for about 33,000 PCs still running Windows 7, ZDNet reports. The government has been working on migrating its systems to Windows 10 since 2018, but the process is still far from complete.
Canada is willing to "impose costs" on malicious cyber actors that threaten the country's security or interests, 660 News reports.
The Ukrainian government is considering a bill that would combat disinformation, but critics say the proposed law would allow too much government interference in journalism, according to RadioFreeEurope|RadioLiberty.
Fortunes of commerce.
Reuters reports that Apple scrapped its plans to offer end-to-end encryption for users' iCloud backups following objections from the US FBI. The plan was dropped about two years ago, although the exact reasons for its cancellation are unclear. One former Apple employee told Reuters the project was ditched because "[t]hey decided they weren’t going to poke the bear anymore," while another employee believes it may have been due to technical concerns about customers getting locked out of their data. Former FBI officials, meanwhile, told Reuters that the plan was discarded because Apple was convinced by the Bureau's arguments that the data needed to remain accessible in order to pursue criminals.
Mergers and acquisitions.
San Francisco-based cyber insurance provider Coalition has acquired Switzerland-based data analysis company BinaryEdge for an undisclosed amount, Computing reports.
CFC, another cyber insurance business, has purchased London-based cyber risk intelligence company ThreatInformer, according to Insurance Age.
VMware plans to acquire network analytics company Nyansa, which is based in Palo Alto, California.
Ryerson University's Rogers Cybersecure Catalyst is partnering with Toronto-based tech accelerator DMZ to launch the Catalyst Cyber Accelerator, a commercial accelerator for Canadian cybersecurity startups. The program is now accepting applications for its first cohort, according to MobileSyrup.
Today's issue includes events affecting Algeria, Bahrain, Canada, China, Egypt, Germany, Iran, Iraq, Israel, Kuwait, Lebanon, Libya, Morocco, Oman, Russia, Saudi Arabia, Tunisia, Ukraine, United Arab Emirates, United Kingdom, United Nations, United States, and Yemen.
ON THE PODCAST
Research Saturday is up. In this week's episode, "Know Thy Enemy - Identifying North American Cyber Threats," we hear from researchers at Dragos, who are tracking threats to the electric sector. Selena Larson from Dragos joins us to discuss their new report, "North American Electric Cyber Threat Perspective."
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.