The CyberWire Daily Briefing 6.25.19

Summary

By the CyberWire staff

Cybereason has released a report on a long-running, extensive (but highly focused) campaign, "Operation Soft Cell," that compromised mobile networks to collect metadata. It appears to be the work of Chinese intelligence services, specifically APT10 (also known as Stone Panda). It's "either APT10 or someone operating just like them," as the Register puts it, to express the attribution with proper caution.

The Washington Post notes that the US did, as promised over the weekend, announce new sanctions against Iran, with President Trump warning Iran not to overestimate American patience or restraint, as both of these have limits. For its part Iran pointed out that it could knock down an American drone any time it decided to do so, and that "the enemy knows it." According to the Wall Street Journal, the new sanctions directly affect senior Iranian leaders. Observers tell the Post that an Iranian cyber campaign, if one continues to develop, will probably resemble Tehran's earlier work: opportunistic and destructive.

Positive Technologies looks at mobile device security and finds that a prospective data thief rarely needs physical access to a phone in order to pull information from it. The root problem, the researchers find, lies in insecure data storage, and the problems with such storage all too often derives from the earliest stages of app development, where design decisions are made without fully thinking through their security implications.

Cloudflare traces yesterday's US Internet outages to a "cascading catastrophic failure" that began with Verizon. Thus, a fumble, not an attack.

Have Your Users Made You an Easy Target for Spear Phishing?

Notes.

Today's issue includes events affecting China, Germany, Iran, Ireland, Israel, Russia, United Kingdom, United States

Bring your own context.

Loud and primitive threat actors are opportunistic and go for the easily exploitable. But remember, the low, slow, quiet, and sophisticated threats can do much the same.

"And in many of these cases, we're seeing the sophistication that occurs afterwards not be particularly high with some of these really loud actors. But keep in mind that those vulnerable hosts, those default credentials, sit out there for more sophisticated actors to use as well - so the things that we need to be concerned about, even if the very loud ones aren't actually causing much impact at the end of the day."

—Mike Benjamin, senior director of threat research at CenturyLink's Black Lotus Labs, on the CyberWire Daily Podcast, 6.21.19.

The bad actors' goal usually isn't to display their own virtuosity.

Modernizing security analytics and operations with SOAPA.

Security operations is held back by the compromises of existing security analytics solutions, and throwing more money and time at the problem isn’t helping. Instead, you are left dealing with an army of point tools, exponential data growth, lack of context... the list goes on.

It's time to take a new approach to security analytics - explore how Devo can help evolve your SOC in this report by ESG.

On the Podcast

In today's podcast, out later this afternoon, we talk with our partners at Dragos, as Sergio Caltagirone outlines the growing tensions between the US, Russia and Iran and offers some insight into how providers of critical infrastructure can prepare to withstand them. Tamika Smith interviews Danielle Gaines, a reporter for Maryland Matters, on Maryland Governor Hogan’s response to the Baltimore ransomware incident: the creation of the Maryland Cyber Defense Initiative.

And Recorded Future's latest podcast, produced in partnership with the CyberWire, is up. In this episode, "Being Courageous, Curious, and Thoughtful in Cybersecurity," Cyber analyst Tracy Maleeff joins the show to share her unusual cybersecurity journey and discuss the importance of diversity in the workplace.

Sponsored Events

RSA Conference 2019 Asia Pacific & Japan (Singapore, Republic of Singapore, July 16 - 18, 2019) Join industry leaders and peers at the region’s leading cybersecurity event. Learn the latest issues and solutions, stay on top of new regulations, demo cutting-edge products, expand your skills and grow your personal network. Register now.

Wicked6 Cyber Games (Las Vegas, Nevada, United States, August 6, 2019) Wicked6 is a fundraiser and cybersecurity exhibition in a thrilling esports arena in Las Vegas on August 8, 2019. It’s a week when cybersecurity leaders from around the world come to Las Vegas, and all are welcome to come by to experience this exciting and unique cyber competition as a player, sponsor, or avid fan. Wicked6 will raise funds for the Women’s Society of Cyberjutsu, a national 501(c)(3) nonprofit that promotes training, mentoring and more to advance women and girls in cybersecurity careers.

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

As Iran Warns, US Officials Mum on Launch of Cyber Attack (Military.com) President Donald Trump reportedly approved a cyber attack on Iran while calling off airstrikes.

Analysis | The Cybersecurity 202: Here's how Iran disrupted U.S. businesses the last time it launched major cyberattacks (Washington Post) Including Sheldon Adelson's casino.

What to make of US cyber activities in Iran (Fifth Domain) Experts told Fifth Domain that a cyberattack in Iran signals that U.S. leaders are becoming increasingly comfortable with cyberwarfare and, in some cases, now view cyber operations as a half-step removed from a kinetic conflict.

[Heads-up] The U.S. Launched A Cyber Attack On Iran, And We're Expecting Spear Phishing Strike Backs (KnowBe4) The tension in the Middle-East apparently prompted a game-changing move by the U.S. President.

U.S. Sees Russia, China, Iran Trying to Influence 2020 Elections (Bloomberg) Cybersecurity firm says Iran spearphishing at U.S. banks. Trump expected to meet Putin, Xi at G-20 later this week.

Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers (Cybereason) In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers. Read about it first here.

A Likely Chinese Hacker Crew Targeted 10 Phone Carriers to Steal Metadata (WIRED) In one case, they stole the location and call record data of 20 specific individuals.

Hackers are stealing years of call records from hacked cell networks (TechCrunch) Security researchers say they have uncovered a massive espionage campaign involving the theft of call records from hacked cell network providers to conduct targeted surveillance on individuals of interest. The hackers have systematically broken in to more than 10 cell networks around the world to d…

What the cell...? Telcos around the world were so severely pwned, they didn't notice the hackers setting up VPN points (Register) Revealed: Long-running espionage campaign targets phone carriers to snoop on VIPs' location, call records

Hackers linked to China breach 10 mobile operators to steal call records (Computing) The espionage campaign has been conducted for the past seven years, claim security specialists

Eurofins ransomware attack affected UK police work (Help Net Security) Operations are returning to normal after the recent Eurofins ransomware attack, but the impact on financial results "may unfortunately be material."

iOS Devices Compromised…Again (The Media Trust) Malware Targeting iOS Devices Outsmarts a Popular Malware Blocker to Steal Consumer Data

Mobile apps riddled with high-risk vulnerabilities, warns report (Naked Security) Be careful before installing that mobile app on your iOS or Android device – many mobile applications are riddled with vulnerabilities.

New cryptomining botnet malware hits Android devices (HackRead) The new malware exploits Android Debug Bridge (ADB) ports.

Botnet Abusing Android Debug Bridge, SSH is Back (Infosecurity Magazine) A cryptocurrency-mining botnet leverages open ADB ports, researchers say.

Positive Technologies research finds an attacker rarely needs physical access to a victim's smartphone to steal data (Positive Technologies) Positive Technologies research finds an attacker rarely needs physical access to a victim's smartphone to steal data

BGP super-blunder: How Verizon today sparked a 'cascading catastrophic failure' that knackered Cloudflare, Amazon, etc (Register) 'Normally you'd filter it out if some small provider said they own the internet'

How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today (The Cloudflare Blog) Today at 10:30UTC, the Internet had a small heart attack. A small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider.

Incomplete Fix Leads to New Kubernetes Bug (Infosecurity Magazine) A high-severity vulnerability impacts kubectl.

ATM Shimmers Supplanting Skimmers (Flashpoint) With the widespread implementation of EMV chip cards, attackers are now focusing on capturing data from the chip.

When Myspace Was King, Employees Abused a Tool Called ‘Overlord’ to Spy on Users (Vice) Several employees were caught abusing the tool, which let them read users’ messages and passwords.

Vulnerability Summary for the Week of June 17, 2019 (US-CERT) The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Security Patches, Mitigations, and Software Updates

Mozilla patched two Firefox zero-day flaws in one week (Naked Security) Two emergency zero days affecting a browser in one week counts as unusual – especially when they pop up as separate alerts two days apart.

OpenSSH adds protection against Spectre, Meltdown, RAMBleed (Help Net Security) OpenSSH has been equipped with protection against side-channel attacks that could allow attackers to extract private keys from memory.

Using Whitelisting to Remediate an RCE Vulnerability (CVE-2019-2729) in Oracle WebLogic (TrendLabs Security Intelligence Blog) We took a closer look at CVE-2019-2729 to see how this class of vulnerability has been remediated and why it has become a recurring security issue.

Cyber Trends

Forescout Study Reveals Cybersecurity Concerns on the Rise Amid M&A Activity - Forescout (Forescout) Global research survey discovers that 65% of respondents experience buyers’ remorse after closing an M&A deal due to cybersecurity concerns Among IT Decision Makers (ITDMs), 53% say they find unaccounted IoT and OT devices after completing the integration of a new acquisition

Cybersecurity Risks Are Threatening Deals, Industry Survey Shows (Bloomberg) Cybersecurity issues are increasingly becoming a concern in mergers and acquisitions, a new survey shows, and lapses can jeopardize deals or haunt purchasers long after the deal is done.

How past threats and technical developments influence the evolution of malware (Help Net Security) "The evolution of malware-related threats is like a sine wave movement, re-infused by new technology developments," Christiaan Beek told Help Net Security.

#DISummit19: Fraudsters Always React & Respond to Better Security (Infosecurity Magazine) Collaboration is key to preventing online fraud

Cyber security blighted by bias (Fudzilla) More dangerous than a Russian hacker A study of cybersecurity professionals indicates that their confirmation bias is probably more likely to sink the...

Ethics and Compliance Programs Growing More Mature (Infosecurity Magazine) Strong buy-in from leadership drives success of ethics and compliance programs, study finds.

UK Firms Riddled With Vulnerable Open Source Software (Infosecurity Magazine) UK Firms Riddled With Vulnerable Open Source Software. Sonatype warns they each downloaded 21,000 flawed components in 2018

Marketplace

Exclusive: Huawei's U.S. research arm builds separate identity (Reuters) The U.S.-based research arm of China's Huawei Technologies Co Ltd - Futurew...

Huawei: 'No doubt' that we will meet German 5G security standards (Reuters) Huawei, the Chinese technology and telecoms group hit by U.S. sanctions, said on...

Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With “Hackers” (ProPublica) We recently wrote about two U.S. firms that promised high-tech ransomware solutions but instead paid the cyber-attacker. A U.K. company appears to do the same.

Products, Services, and Solutions

Keeper Announces 24/7 Dark Web Monitoring Solution for Businesses (PR Newswire) Keeper Security, Inc., provider of the leading cybersecurity platform for preventing password-related data breaches and...

DivvyCloud Enhances Industry-Leading Cloud Security With Expanded IAM Capabilities, Compliance Scorecard, and Threat Protection; Achieves 230 Percent YoY Revenue Growth (BusinessWire) DivvyCloud announced new capabilities and technological advancements to its solution, as well as company growth.

Twistlock Releases Twistlock 19.07 with an enhanced enterprise manageability and configurability while continuing to leverage automation and learning (West) Twistlock, the leading provider of container and cloud-native security solutions, today announced the availability of Twistlock 19.07. This release builds on the existing cloud-native network firewall (CNNF) to provide enhanced visualization and manageability, adds threat visualization radar for serverless, automated image trust policies, and broader forensic data collection.

Mist Systems Partners with Forescout to Bring Secure Wireless Access and IoT Policy Enforcement to the AI-Driven Enterprise (Mist Systems) Mist Systems, a Juniper Networks (NYSE: JNPR) company, today announced a strategic relationship with Forescout Technologies, Inc. (NASDAQ: FSCT), the leader in device visibility and control, that enables interoperability between the Mist Learning WLAN and the Forescout platform. This partnership provides comprehensive AI-driven security via automation and programmability to protect Wi-Fi client and Internet of Things...

Cisco’s Duo Security Now Offers Out-of-the-Box Multi-Factor Authentication for Amazon Web Services (Duo Security) Cisco’s Duo Security, the leading multi-factor authentication (MFA) and Zero Trust for the Workforce provider, today announced enhanced MFA support for Amazon Web Services (AWS). AWS customers can add additional protection to their AWS Directory Service applications with Duo’s Push-based MFA in less than 10 minutes. Using the Duo MFA Quick Start for Directory Service, customers can easily deploy Duo MFA by automating hundreds of procedures into a single click.

Technologies, Techniques, and Standards

Opinion | Hackers are taking cities hostage. Here’s a way around it. (Washington Post) Ransomware attacks on U.S. cities are on the rise, and it’s time to break the cycle.

Link security key aim for cyber age - DB - Digital Battlespace (Shephard Media) Cyber security has rapidly grown as a priority for Link 16 and C2 tactical data links more broadly, according to Northrop Grumman, with the company lo

The Rise of Employee Monitoring: Ensuring Security without Sacrificing Trust (Infosecurity Magazine) The burden has shifted to employers to detect and respond to abnormal or anomalous employee-related behavior

4 tips for building a strong security culture (CSO Online) Instead of blame and fear, security teams need to create a culture of personal responsibility to best protect data. Here's how two security leaders do it.

Legislation, Policy and Regulation

Iran Greets Latest U.S. Sanctions With Mockery (New York Times) Both hard-liners and reformers argued that the new sanctions would have little practical impact. One Iranian joked on Twitter: “The only people left to sanction are me, my dad and our neighbor’s kid.”

Iran calls new US sanctions 'outrageous and idiotic' (AP NEWS) Iran on Tuesday sharply criticized new U.S. sanctions targeting the Islamic Republic's supreme leader and other top officials, saying the measures spell the "permanent closure"...

Netanyahu tells Russian official: We will do ‘anything’ to prevent nuclear Iran (Times of Israel) At Jerusalem meet ahead of trilateral summit, Moscow's national security adviser promises to pay 'special attention to ensuring Israel's security'

Trump imposes new sanctions on Iran, warns U.S. ‘restraint’ is limited (Washington Post) President Trump, warning that U.S. “restraint” has limits, signed an executive order Monday imposing additional economic sanctions on Iran in apparent retaliation for the downing of a U.S. drone last week.

EXCLUSIVE: Trump: I do not need congressional approval to strike Iran (TheHill) President Trump told Hill.TV in an exclusive interview Monday that he does not need congressional approval to strike Iran.

Disclaiming responsibility: How platforms deadlocked the Federal Election Commission's efforts to regulate digital political advertising (Telecommunications Policy) Digital advertisements used to interfere in the 2016 U.S. presidential election lacked disclaimers stating who paid for them. This was deliberate on t…

Bipartisan US DASHBOARD Act aims to force tech giants to disclose monetary value of personal data (Computing) Draft bill by Democrat and Republican senators seeks to give users of Facebook, Google and Amazon more control of their data

DoD changes name of security clearance agency, appoints new leadership (Federal News Network) The Defense Department has officially assumed responsibility for the governmentwide security clearance portfolio and has named new leadership.

House panel to hold hearing on Facebook cryptocurrency project (TheHill) The chairwoman of the House Financial Services Committee announced Monday that the panel will hold a hearing next month on Facebook’s plan to develop a cryptocurrency-based payments platform.

Three big holes in Sir Nick Clegg's defence of Facebook (The Telegraph) Sir Nick Clegg has given many speeches in his life.

Watchdog ‘naive’ to think it can regulate social media (Times) The broadcasting watchdog’s plan to regulate social media is unworkable and naive, an online privacy group has said. Digital Rights Ireland said it was concerned that the Broadcasting Authority of...

Updated Guide to Posted Documents Regarding Use of National Security Authorities (IC ON THE RECORD) On September 19, 2017, we posted a guide with links to certain officially released documents related to the use by the Intelligence Community (IC) of national security authorities. Today, we have once again updated that Guide to include links to additional officially released documents...

Litigation, Investigation, and Enforcement

Federal Cybersecurity: America's Data at Risk (United States Senate Permanent Subcommittee on Investigations, Committee on Homeland Security and Governmental Affairs) Federal government agencies are the frequent target of cybersecurity attacks. From 2006 to 2015, the number of cyber incidents reported by federal agencies increased by more than 1,300 percent.

Facebook fails to kill class-action lawsuit over data breach (CyberScoop) The lawsuit against Facebook will continue after a judge disagreed with the company’s contention it shouldn't be held liable for not protecting users' info.

QuadrigaCX CEO Set Up Fake Crypto Exchange Accounts With Customer Funds (CoinDesk) QuadrigaCX CEO and founder Gerald Cotten reportedly created fake accounts at other crypto exchanges and funded them with his customers' money.

German regulator says it discovered new illegal software on Daimler diesels (Ars Technica) Daimler is being forced to recall 42,000 vehicles in Europe.

Police suspend work with major forensics firm after cyber-attack (the Guardian) More than half of outsourced case work disrupted due to Eurofins security breach

Ex-chair of FCC broadband committee gets five years in prison for fraud (Ars Technica) Telecom CEO forged contracts in order to raise $270 million from investors.

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

10th Annual Billington CyberSecurity Summit (Washington, DC, USA, September 4 - 5, 2019) This year's theme is, "Reinventing Cybersecurity: Addressing Tomorrow's Top Cyber Challenges." The summit has become the world's leading summit on government cybersecurity. It will convene again U.S. and allied partners in an unprecedented day and a half of high level knowledge sharing and networking.

CyberCon 2019 (Anaheim, California, USA, November 19 - 20, 2019) CyberCon 2019 targets executives, leaders and decision makers from the power and utilities and cybersecurity industries, including CEOs, CFOs, COOs, CSOs and CISOs, as well as national security advisors, U.S. policy makers and leaders who influence power and utility regulations at the federal, state and local levels. Themed “Power On,” the event will feature sessions by more than 40 forward-thinking, actionable and innovative speakers covering a range of pressing cybersecurity topics. The event will also be complimented with an exhibition hall featuring more than 100 of the most successful cybersecurity technology providers showcasing proven and emerging solutions.

upcoming Events

Insider Threat Program Management 360 Training Course (Washington, DC, USA, June 25 - 26, 2019) The Insider Threat Defense Group will hold our most advanced training for Insider Threat Program (ITP) Management. This comprehensive 2 day training course covers all the aspects of an ITP, from A-Z; ITP Development, Management, Legal Guidance, Behavioral Science (Human Actions, Intentions, Investigation & Analysis). A licensed and recognized attorney with extensive experience in ITP's and Employment Law, will provide legal guidance related to ITP's, and on the collection, use, sharing of employee information, and employee computer user activity monitoring. A licensed Behavioral Science / Operational Psychologist will provide expert guidance on the human side of Insider Threat, Violence and Espionage.

GovSummit (Washington, DC, USA, June 26 - 27, 2019) GovSummit -- the government security conference hosted annually by the Security Industry Association -- brings together government security leaders with private industry technologists for top-quality information sharing and education on security topics affecting federal, state and even local agencies. You'll find specialized sessions on topics such as security technology procurement strategies, evolving federal acquisition priorities, infrastructure protection technology, identity management and access control policies, cybersecurity, school security and more.

5th Annual Cyber Security For Defense (Washington, DC, USA, June 26 - 28, 2019) Three days of engaging topics, workshops, case studies, and peer-to-peer networking from across the DoD and greater Intelligence Community. Featured topics include cloud security, blockchain, C4I security, and quantum computing, presented by military leaders, technical experts, researchers, academics and industry members.

Tampa Cybersecurity Conference (Tampa, Florida, USA, June 27, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel with three-to-five local CISOs discuss real-world problems and solutions.

INTERPOL World 2019 (Singapore, July 2 - 4, 2019) INTERPOL World is a global co-creation opportunity which engages the public and private sectors in dialogue, and fosters collaboration to counter future security and policing challenges. INTERPOL World comprises of three interlinked activities: 30 strategic Co-creation Labs to discuss the challenges and solutions for combating the crimes of the future; Exhibition that serves as a business and networking event for 250 manufacturers, distributors, and Research and Development organizations to offer innovative products and cutting-edge technologies; and INTERPOL Working Groups (by invitation only) including the chief innovation officers group, artificial intelligence, drones and the Darknet and cryptocurrency group.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.