The CyberWire Daily Briefing 4.3.19

Cyber Attacks, Threats, and Vulnerabilities

Iran conducted 'major cyber assault' on key UK infrastructure (Sky News) Mobile phone numbers of MPs and peers were among data harvested during an attack last December.

ISIS’s West African Offshoot Is Following al Qaeda’s Rules for Success (Foreign Policy) The amorphous Boko Haram splinter group is taking inspiration where it can get it and bringing disaster to the Lake Chad Basin in the process.

Hackers linked to Chinese intelligence may be behind ASUS computer attack (The Hindu) Kaspersky Labs suspects Barium APT also targeted Microsoft in 2017: State Cyber department’s report

North Korea's elite hackers are funding nukes with crypto raids (WIRED UK) APT 38 is Kim Jong-un's highly skilled group of bank hackers. After raising $1 billion for the country from heists, its attention turned to cryptocurrency

Lazarus Hacker Group Continues to Target Crypto Using Faked Trading Software (Bitcoin Magazine) A Chinese security service provider has issued a warning that a large number of crypto exchanges have been targeted by the North Korean hacker group Lazarus.

OceanLotus APT Uses Steganography to Load Backdoors (BleepingComputer) The OceanLotus advanced persistent threat group (also known as APT32 or Cobalt Kitty) is using steganography-based loaders to drop backdoors on compromised systems.

Report: OceanLotus APT Group Leveraging Steganography (BlackBerry Cylance) BlackBerry Cylance recently uncovered a novel malware payload loader during our ongoing surveillance of the OceanLotus (APT32) group. The loader uses steganography to read an encrypted payload concealed within a .png image file. This white paper offers an in-depth look at two concerning technical achievements recently employed by this APT.

We found a massive spam operation — and sunk its server (TechCrunch) For ten days in March, millions were caught in the same massive spam campaign. Each email looked like it came from someone the recipient knew: the spammer took stolen email addresses and passwords, quietly logged into their email account, scraped their recently sent emails and pushed out personaliz…

Advantech WebAccess/SCADA (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 9.8ATTENTION: Exploitable remotely/low skill level to exploitVendor: AdvantechEquipment: WebAccess/SCADAVulnerabilities: Command Injection, Stack-based Buffer Overflow, Improper Access Control2. RISK EVALUATIONSuccessful exploitation of these vulnerabilities may cause a denial of service and allow remote code execution.

‘Beyond Sketchy’: Facebook Demands Users’ Email Passwords (The Daily Beast) Mark Zuckerberg admitted recently that Facebook doesn’t have a ‘strong reputation’ for privacy. An odd new request for private data probably won’t help with that rep.

Facebook Is Just Casually Asking Some New Users for Their Email Passwords (Gizmodo) Facebook has been prompting some users registering for the first time to hand over the passwords to their email accounts, the Daily Beast reported on Tuesday—a practice that blares right past questionable and into “beyond sketchy” territory, security consultant Jake Williams told the Beast.

Facebook caught asking users for the passwords to their email accounts (The Telegraph) Facebook has been caught asking new users for the passwords for their email accounts in order to verify their accounts.

Unnam3d Ransomware Moves Files Into Protected RAR Archives, Demands Amazon Gift Card (Security Intelligence) Security researchers discovered a new ransomware family called Unnam3d that moves targeted files into protected RAR archives and demands an Amazon gift card as ransom.

Skype Android bug automatically answers phone calls without permission (The Telegraph) Skype calls on Android phones are being automatically answered without the recipient's consent, according to users.

150 Million People Affected By SimBad Adware on Android (Security Boulevard) SimBad, a new strain of adware, was found installed on more than 210 Android Apps disguised as an advertisement kit and named RXDrioder.

Malware Actors Using New File Hosting Service to Launch Attacks (Security Boulevard) Bad actors are leveraging a new file hosting service in order to launch attack campaigns involving FormBook and other malware. Near the end of March, researchers at Deep Instinct observed a new FormBook attack. The infection chain for this campaign began with a phishing email that contains a malicious attachment.

Data breach exposes up to 1.3M Georgia Tech faculty, students (Atlanta Journal Constitution) It sounds a bit ironic: a data breach potentially affecting 1.3...

Pro-Palestinian hackers breach 120 Israeli websites (Haaretz) Israeli cyber security firm ClearSky's report shows hackers took over the sites to prepare for an annual cyberattack known as OPIsrael and planned for April 7

2020 Census likely target of hacking, disinformation campaigns, officials say (Washington Post) The Census Bureau is working with social media companies, cybersecurity experts to protect the count of 330 million Americans, which determines federal funding, congressional apportionment, and redistricting

Game of Thrones: a Top Malware Conduit for Cybercriminals (Threatpost) The HBO blockbuster is the most-targeted show for malware-laden pirated files.

March Madness Scams Give Attackers Fast Break (Threatpost) Researchers have seen March Madness-related phishing scams, fake domains and adware spike as cybercriminals take a pass at tournament viewers.

New scam aims to trick you into giving up your cell phone account information (USA TODAY) If someone calls you pretending to be from your cell phone carrier and asks for a verification code, don't give it to them.

Arizona Beverages knocked offline by ransomware attack (TechCrunch) Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month, TechCrunch has learned. The company, famous for its iced tea beverages, is still rebuilding its network almost two weeks after the attack hit, wiping hundreds of Windows…

Cybercriminals Fall for IoT Honeypots (Security Boulevard) On Sunday 24th February, the eve of Mobile World Congress 2019, Avast security researchers Martin Hron, Vladislav Iliushin, Libor Bakajsa, and Anna Shirokova set a project in motion: the deployment of 500 honeypots in 10 countries around the world that would run for the length of the show (four days), and beyond.

This is how cyber-thieves rob banks and easily get away with it (MarketWatch) Robbers no longer need masks — they simply exploit wide-open system security holes to plunder data and money.

Albany continues computer recovery after weekend cyber-attack (WNYT NewsChannel 13) The city of Albany continues to try and recover from a cyber-attack last weekend.

April Fool's joke may be behind Bitcoin price spike (The Telegraph) An April Fool's joke is believed by some to be behind a rally that sent Bitcoin to its highest level in almost five months on Tuesday.

Security Patches, Mitigations, and Software Updates

VMware patches critical vulnerabilities (Naked Security) VMware has released patches for several critical security vulnerabilities, days after two were unveiled at Pwn2Own.

Cyber Trends

85 percent of organizations don't meet basic levels of PAM security (BetaNews) While 78 percent of organizations now include privileged credential protection as part of their cyber security policies, their privileged access management (PAM) security practices are still lacking.

D3 Security and SANS Survey Illustrates the Need for Security Automation to Stabilize the Critical Resource and Skills Gap (BusinessWire) D3 Security, an innovator in security orchestration, automation and response (SOAR) technology, today announced the results of the 2019 Automation and

Virulent Ransomware Strains Trust in Cyber Insurance (International Policy Digest) New more potent strains of virtual ransomware attacks are emerging.

Thailand ‘Asia’s fourth-biggest source of DDoS attacks’ (The Nation) Thailand ranks fourth on a list of countries in the Asia-Pacific region from which DDoS attacks originate.

Cryptojacking Still a Foreign Concept for Many Security Pros (BleepingComputer) For over 57% of the 150 cybersecurity professionals surveyed by Exabeam the concept of cryptojacking is not something they are acquainted with, while roughly 65% said that they are also unfamiliar with shadow mining.

Marketplace

Facebook cannot guarantee interference-free EU elections: Zuckerberg (Reuters) Facebook Inc is much better than it was in 2016 at tackling election interferenc...

Facebook Had an Incredibly Busy Weekend (WIRED) Here’s all the news you may have missed, including a major News Feed change and Mark Zuckerberg calling for government regulation.

Sorry Mark Zuckerberg, your empty words still don't convince me (The Telegraph) The Facebook mea culpa has become a regular occurrence in recent months, with the giant of social media’s top execs scrambling to promise to ‘do better’ in the wake of sustained pressure and repeated controversies.

YouTube Executives Ignored Warnings, Letting Toxic Videos Run Rampant (Bloomberg) Proposals to change recommendations and curb conspiracies were sacrificed for engagement, staff say.

Google shuts down its failed social network Google+ amid security issues (Computing) Google+ was launched in 2011 but failed to attract a sizable or active user base compared to Facebook and Twitter

Rapid7 Buys Network Traffic And Security Monitoring Vendor NetFort (CRN) Purchasing NetFort will improve Rapid7’s ability to detect attacks, investigate incidents and gain more visibility into devices that pose a risk to organizations, the company says.

Israeli firm buys Ukrainian startup for nearly $4 million (KyivPost) Israeli internet company Perion is to pay $3.7 million as it acquires a small Ukrainian startup which develops artificial intelligence and works in online marketing. Septa Communications, or also known as Captain Growth, consists of only eight people. The startup produces artificial intelligence that helps companies to advertise on Facebook and through Adwords. It analyzes marketing …

Aqua Security Closes $62M in Funding to Cement Its Leadership in Cloud Native Security (Aqua) Led by Insight Partners, the investment enable Aqua to expand its platform to secure microservices applications on containers and serverless infrastructure.

Greylock leads $14 million investment in application security startup Sqreen (VentureBeat) Sqreen, a cybersecurity startup that helps developers monitor and protect their web apps from vulnerabilities and attacks, has raised $14 million.

How Splunk is working to become the 'nerve center' for cybersecurity operations (CyberScoop) Monzy Merza, VP, Head of Security Research at Splunk talks with CyberScoop’s Greg Otto on how Splunk wants to free cybersecurity analysts from doing the mundane tasks that bog down security operations.

2019 Women in Cybersecurity ((ISC)²) (ISC)² took a new approach to surveying the cybersecurity workforce. This new look at the workforce revealed that the percentage of women in cybersecurity is roughly 24%.

'Mid-career Switch from Mechanical Engineering to Cyber' (US Black Engineer) How Cedric Fletcher made the leap from mechanical engineering to cyber engineering.

What Can Your Company Do To Attract Top Cybersecurity Talent? (TechNative) Last year's cybersecurity scorecard did little to reassure consumers that large companies are serious about security and privacy Massive data leaks hit the news every month against the background buzz of hundreds of smaller breaches that didn't make the front page.

Intel to cut more than 100 jobs from headquarters (Silicon Valley Business Journal) Intel has confirmed its latest layoffs will affect IT departments at four of its Silicon Valley campuses.

Intercede shares rally amid $4.3m US fed contract (UK Investor Magazine) Intercede shares rallied on Tuesday after the company announced it had received a $4.3 million order from the U.S federal government.

VMware announces new global channel program (CRN Australia) And tweaks its Australian arrangements too.

Telos Announces Membership in Global Cyber Alliance (GCA) to Collectively Confront Cyber Risks and Improve the Connected World (BusinessWIre) Telos CSO Richard Tracy joins the GCA's Strategic Advisory Committee to provide thought leadership on cyber risk and compliance management.

SecureAuth Appoints Veteran Sales and Marketing Executives to Support Global Hypergrowth and Leadership in the Identity Security Market (SecureAuth) SecureAuth Corp., the secure identity company, today announced the appointment of John Nassar as Chief Revenue Officer, and Robert Humphrey as Chief Marketing Officer. Nassar and Humphrey join the executive team to scale the worldwide sales and marketing organization, supporting the rapid growth of the company.

FBI’s Chief Hacker Joins FTI Consulting’s Growing Cybersecurity Practice (West) Ronald Yearwood Joins in San Francisco and Brings 30 Years of Cybersecurity and Law Enforcement Expertise

Products, Services, and Solutions

Nok Nok Labs Announces Successful Deployment of Biometric Authentication for Insurance Customers of Aflac Japan (PR Newswire) Nok Nok Labs (Nok Nok), the trusted leader in next-generation authentication today announced that its partner...

Cynet Announces Free Cybersecurity Threat Assessment for Midsize and Large Organizations (PRWeb) Cynet, pioneers of the automated threat discovery and mitigation platform (http://www.cynet.com), today announced the Cynet Threat Assessment program. The free off

Zettaset Launches XCrypt Service Encryption for Cloud Foundry (BusinessWire) Cloud Foundry Summit (Booth #S7) – Zettaset, a leading provider of software-defined encryption solutions, today introduced its groundbreaking new visi

SCADAfence Chosen by Mitsui Fudosan to Secure Building Management Systems (PR Newswire) SCADAfence, the global leader in operational technology (OT) security and the most widely deployed OT ...

Are there viable alternatives to Facebook and Twitter? (Naked Security) There’s growing interest in social networks that prioritize user control. Two of the popular ones are Mastodon and Diaspora.

Spark expands use of Splunk for real-time monitoring and security (New Zealand Reseller News) Spark New Zealand is using Splunk software to help monitor mobile towers in real-time while keeping broadband internet flowing.

Technologies, Techniques, and Standards

Three Triggers Telling You It’s Time to Reconsider Your Network Security Strategy (Bricata) Businesses are more reliant on their networks to conduct business so it's important to evaluate a network security strategy as if your business depended on it.

Inside the Democrats’ Plan to Fix Their Crumbling Data Operation (WIRED) After seeing the crucial role data played in the 2016 election, the DNC has spent the past two years revamping its infrastructure to take on Trump in 2020.

Design and Innovation

How a former Apple lead plans to make developers key to security solutions (TechRepublic) Security has tended to be a bolt-on to enterprise software, but Sqreen hopes to make it part of the normal way developers work.

Legislation, Policy and Regulation

Dutch security agency warns against Chinese, Russian technology (Reuters) The Dutch security service advised the government on Tuesday not to use technolo...

Global Consequences of Escalating U.S.-Russia Cyber Conflict (Council on Foreign Relations) U.S. offensive cyber operations might deter Russia and other U.S. adversaries online, but we should consider the global consequences of escalating cyber conflict.

Behind the Scenes of Russia’s Military Detachment to Venezuela (Jamestown) On March 23, a Russian defense ministry Ilyushin Il-62 passenger jet and an Antonov An-124 military cargo plane arrived at Simón Bolívar International Airport, having departed from the Chkalovsky military airbase (with an intermediate stop in Syria). Carrying 35 tons of cargo, the two aircraft delivered 99 Russian military specialists, headed by the first deputy commander-in-chief of the Land Forces, …

Colombia rejects Russia warning against Venezuelan military action (Reuters) Colombia on Tuesday rejected a Russian warning against foreign military interven...

Chinese hacking groups to ramp up cyber attacks on some industries, experts say (CSO Online) Companies in industries critical to China’s five-year plan face a higher risk of nation-state-sponsored cyber attacks.

Current, former Pentagon leaders sound alarm on Chinese technology in 5G networks (Washington Post) Defense officials are concerned that future combat operations could be compromised through advanced wireless systems.

Opinion | Keep the Chinese government away from 5G technology (Washington Post) The risks are just too high.

Nuanced Approach Needed to Deal With Huawei 5G Security Concerns (Dark Reading) Governments need to adopt strategic approach for dealing with concerns over telecom vendor's suspected ties to China's intelligence apparatus, NATO-affiliated body says.

Sharpened call for an Australian cyber civil defence organisation (ZDNet) A University of NSW Canberra research group recommends forming a provisional National Commission for Cyber Civil Defence to help defend against a "cyber storm" that's already upon us.

Exclusive: U.S. senators want stiff sanctions to deter Russia... (Reuters) U.S. Republican and Democratic senators will introduce legislation on Wednesday ...

Public-private joint effort is needed to prevent a cyber Pearl Harbor (TheHill) The threat of a destructive cyber attack that could cost lives is growing every day.

How DHS is following the DOD's plan for internal cybersecurity (CyberScoop) The Department of Homeland Security (DHS) is trying to replicate a plan used by the Department of Defense to protect and defend its network.

House bill would create panel of cyber experts to help DHS (Federal News Network) In today's Federal Newscast, bipartisan legislation in the House would create a panel of cyber professionals to advise the Department of Homeland Security.

Exclusive: Homeland Security Disbands Domestic Terror Intelligence Unit (The Daily Beast) While the body counts from domestic terror attacks mount, the analysts looking into those attacks have been moved.

Litigation, Investigation, and Enforcement

Intel to examine deepfake videos in hearing (TheHill) The House Intelligence Committee is planning to hold a hearing in the coming months that will examine a series of national security matters, including the threat of videos manipulated by artificial intelligence that&

Woman with Chinese passports, malware arrested at Trump’s Mar-a-Lago resort (Washington Post) Court documents say the woman, Yujing Zhang, was carrying a thumb drive when Secret Service agents stopped her.

Cybersecurity experts urge skepticism over claims Saudis hacked Bezos's phone (Yahoo) When Jeff Bezos’s personal security consultant published a startling indictment of the National Enquirer on Saturday, alleging that the tabloid publication may have worked with Saudi Arabia to expose the Amazon CEO’s affair, there was one thing missing: any evidence for the claim.

Kaspersky Lab appeals to court of public opinion with 'unbiased' assessment of Russian law (CyberScoop) The legal battle between Russian antivirus maker Kaspersky Lab and the U.S. government has quieted, but the court of public opinion is still open for arguments. Countering U.S. officials and critics who say otherwise, Kaspersky Lab on Tuesday released an analysis arguing that, under Russian law, the company would not be subject to certain demands from authorities for data.

Canadian Police Raid ‘Orcus RAT’ Author (KrebsOnSecurity) Canadian police last week raided the residence of a Toronto software developer behind “Orcus RAT,” a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015. Its author maintains Orcus is a legitimate Remote Administration Tool that is merely being abused, but security experts say it includes multiple features more typically seen in malware known as a Remote Access Trojan.

Analysis | The Cybersecurity 202: Arrest at Mar-a-Lago spotlights simple but pervasive threat of thumb drives (Washington Post) USB sticks have played a role in many big government hacks.

Chinese woman carrying ‘malware’ arrested at Mar-a-Lago heading to a Cindy Yang event (Miami Herald) U.S. Secret Service arrested a woman at Mar-a-Lago on Saturday who had a thumb drive with malware. She said she had been invited to Mar-a-Lago by a Chinese friend she identified only as ‘Charles.’

Chinese woman carrying thumb drive with malware arrested at Trump’s Mar-a-Lago resort (Washington Post) Court documents say the woman, Yujing Zhang, was carrying a thumb drive when Secret Service agents stopped her.

GAO Denies Protest Over $55M Deloitte Army Cyber Deal (Law360) The Government Accountability Office on Tuesday denied MacAulay-Brown's protest over a nearly $55 million Army cyber analytics deal awarded to Deloitte, saying it has "no basis to question" the Army's evaluation of Deloitte's proposed price, which was millions less than MacAulay-Brown's.

Censorship or safeguard? Groups challenge pre-pub review (WRAL.com) Civil liberties groups have filed a lawsuit challenging a pre-publication review required for people who have had access to government secrets.

These former agents say the CIA and NSA are censoring them. Now they’re suing. (Washington Post) The lawsuit alleges the government’s pre-review process for published work is an unconstitutional “system of censorship.”

Swedbank’s Crisis Management Questioned in Walk-Up to Money-Laundering Investigations (Wall Street Journal) A sequence of events at the Swedish lender, including the firing of CEO Birgitte Bonnesen last week, provides a case study in one of the riskiest balancing acts executives attempt when faced with a corporate crisis: trying to apply the right amount of weight to reassuring investors on one side and enough weight to publicly addressing the problem on the other.

Firms Tied To Fusion GPS, Christopher Steele Were Paid $3.8 Million By Soros-Backed Group (Daily Caller) The Democracy Integrity Project was founded by a former Senate Intel staffer

Democrats preparing to unleash subpoenas over Trump security clearances (Roll Call) Chairman Elijah Cummings hinted Monday that his House Committee on Oversight and Reform is preparing to unleash a series of subpoenas starting this week for their investigation into the White House’s security clearance policy.

OceanLotus and steganography. Facebook's "beyond sketchy" ask. Orcus RAT raid. April Fool. Mar-a-Lago malware? OpIsrael notes.