The CyberWire Daily Briefing, 6.28.19

Cyber Attacks, Threats, and Vulnerabilities

Exclusive: Western intelligence hacked 'Russia's Google' Yandex to spy on accounts - sources (Reuters) Hackers working for Western intelligence agencies broke into Russian internet se...

Russian search giant Yandex hacked by Western intelligence agencies to spy on developers (Computing) Yandex hack occurred between October and November 2018 when Regin malware associated with the NSA was found

Chinese Cyber-Operatives Boosted Taiwan’s Insurgent Candidate (Foreign Policy) Han Kuo-yu came out of nowhere to win a critical election. But he had a little help from the mainland.

Hackers are repeatedly targeting Navy contractors (Fifth Domain) Huntington Ingalls, the Navy’s largest shipbuilder, was the subject of the latest sophisticated hacking spree by organs of the Chinese government, according to a report from Reuters.

Breach at Cloud Solution Provider PCM Inc. (KrebsOnSecurity) A digital intrusion at PCM Inc., a major U.S.-based cloud solution provider, allowed hackers to access email and file sharing systems for some of the company’s clients, KrebsOnSecurity has learned.

Ford, TD Bank Files Found Online in Cloud Data Exposure (Bloomberg) Information management company Attunity left emails, log-ins and project plans open to public view

Leaky Amazon S3 Buckets Expose Data of Netflix, TD Bank (Threatpost) Netflix, TD Bank, and Ford were only a few of the companies whose data was exposed by three leaky Amazon S3 buckets owned by Attunity.

Data Warehouse: How a Vendor for Half the Fortune 100 Exposed a Terabyte of Backups (UpGuard) Backups ensure data continuity, but they're also a surface of risk. See how Fortune 100 vendor Attunity exposed nearly a terabyte of internal backups.

ViceLeaker Android malware steals call recordings, photos, videos & texts (HackRead) Israeli Citizens are the Primary Target of New Android Mobile Spying Campaign Using ViceLeaker Malware, says Kaspersky.

Medica[re]Supplement.com Left 5m Records Exposed (Infosecurity Magazine) A researcher found millions of publicly available user records from a marketing database.

Medicare Supplement Data Breach: 5 million personal records exposed (Comparitech) MedicareSupplement.com exposed 5 million records containing personal information, including some medical details, to anyone with an internet connection.

Scammers Prey on Instagram Vanity and 'Verified Account' Status (Threatpost) Hackers are stealing Instagram credentials through a tricky phishing scam that asks victims to apply for exclusive verified account status.

Fake Instagram Verification (Sucuri Blog) A fake Instagram verification campaign lures IG users to submit their email credentials and passwords on malicious phishing pages.

New ransomware infections are the worst drive-by attacks in recent memory (Ars Technica) Beware of websites booby-trapped by newly energized ShadowGate group, researchers warn.

ShadowGate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit (TrendLabs Security Intelligence Blog) After almost two years of sporadic restricted activity, the ShadowGate campaign has started delivering cryptocurrency miners with a newly upgraded version of the Greenflash Sundown exploit kit. The campaign has been spotted targeting global victims, after operating mainly in Asia.

Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign (TrendLabs Security Intelligence Blog) We found a Golang-based spreader being used in a campaign that drops a cryptocurrency miner payload. Trend Micro has been detecting the use of the spreader since May and saw it again in a campaign this month.

Crypto Exchange Bitrue Loses $4.5m in Cyber Raid (Infosecurity Magazine) Singaporean exchange promises to reimburse all customers

FDA Says Medtronic Insulin Pumps Pose Cybersecurity Risk (Wall Street Journal) The Food and Drug Administration warned that certain insulin pumps made by Medtronic have cybersecurity vulnerabilities and could be manipulated by hackers, causing danger to diabetes patients.

ABB PB610 Panel Builder 600 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Low skill level to exploit Vendor: ABB Equipment: PB610 Panel Builder 600 Vulnerabilities: Use of Hard-coded Credentials, Improper Authentication, Relative Path Traversal, Improper Input Validation, Stack-based Buffer Overflow 2.

ABB CP651 HMI (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable from adjacent network/low skill level to exploit Vendor: ABB Equipment: CP651 HMI Vulnerability: Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

SICK MSC800 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: SICK Equipment: MSC800 Vulnerability: Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a low-skilled remote attacker to reconfigure settings and/or disrupt the functionality of the device.

Advantech WebAccess/SCADA (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Advantech Equipment: WebAccess/SCADA Vulnerabilities: Path Traversal, Stack-based Buffer Overflow, Heap-based Buffer Overflow, Out-of-bounds Read, Out-of-bounds Write, Untrusted Pointer Dereference 2.

Medtronic MiniMed 508 and Paradigm Series Insulin Pumps (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.1 Vendor: Medtronic Equipment: MiniMed 508 and Paradigm Series Insulin Pumps Vulnerability: Improper Access Control 2. RISK EVALUATION Successful exploitation of this vulnerability may allow an attacker with adjacent access to one of the affected products to intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product.

ABB CP635 HMI (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable from adjacent network/low skill level to exploit Vendor: ABB Equipment: CP635 HMI Vulnerability: Use of Hard-coded Credentials 2.

Spotify needs to crack down on labels snatching user data (TechCrunch) Spotify seems to have learned little from the Facebook developer platform’s scandals despite getting a huge boost from the social network in its early days. Spotify has been caught allowing record labels to grab tons of unnecessary user data and permissions to even control their accounts just…

Docker containers are filled with vulnerabilities: Here's how the top 1,000 fared (TechRepublic) An analysis of the 1,000 most popular Docker containers uncovered a variety of security vulnerabilities, some of which are critical.

How Hackers Turn Microsoft Excel's Own Features Against It (WIRED) A pair of recent findings show how hackers can compromise Excel users without any fancy exploits.

Threat actors are doing their homework, researchers identify new impersonation techniques (Help Net Security) New FireEye email threat report reveals increase in social engineering attacks, file-sharing service exploitation, and new impersonation techniques.

Anatomy of a ransomware attack: How attackers gain access to unstructured data (Help Net Security) Ransomware isn’t a new phenomenon, but it’s effects are starting to be felt more widely, and more deeply than ever before. Behemoths like Sony, Nissan,

Payment Fraud Linked to Terrorism and Trafficking (Infosecurity Magazine) Terbium Labs calls for bigger anti-fraud effort from financial institutions

Office 365 Phishing Protection - Is Native Microsoft Protection Safe? (HackRead) For the last couple of years, there has been a surge in phishing attacks against businesses and unsuspecting users. What’s worse is that phishing, which was previously merely a fraudulent attempt to obtain sensitive information, is now spreading malicious content including ransomware.

Five Million IP Camera Cyber-Attacks Blocked in Just Five Months (Infosecurity Magazine) IP surveillance devices facing high numbers of cyber-attacks

Grieving People Gathered on a Facebook Support Group. Then a Hacker Showed Up. (New York Times) Page administrators of Grief the Unspoken say a hacker repeatedly posted disturbing images on the page, which has 500,000 followers.

A zombie game with 50,000 Play Store downloads was pulling sensitive data from Gmail (CyberScoop) Researchers from the mobile security company Wandera identified the app, called “Scary Granny ZOMBY Mod: The Horror Game 2019,” as a malicious program.

Security Patches, Mitigations, and Software Updates

Cisco plugs critical security holes in Data Center Network Manager (Help Net Security) Cisco has plugged four security holes in its Data Center Network Manager, two of which critical (they have a 9.8 CVSS score).

Cyber Trends

Survey: Federal Government Data Remains Unsecure at the Edge (PR Newswire) Acronis SCS, a data security and cyber protection company, in partnership with research firm Market Connections,...

(ISC)² Research Report Indicates That Small Businesses May Not Be the Weakest Link in the Supply Chain ((ISC)²) Study reveals that cybersecurity staffing and best practices are bigger factors than company size in assessing security risk associated with supply chain partners

A Quarter of Europe’s Largest Banks Do Not Use Best-Practice Security Measures to Protect Against Phishing (ResponseSource Press Release Wire) Sectigo Analysis Reveals Gaps for Security-Conscious Customers Using Online Banking Services

Where are organizations stalling with cybersecurity best practices? (Help Net Security) What’s concerning though is that organizations seem to have come to a standstill in their journey to cybersecurity best practices.

Marketplace

BlueRidge.AI raises $1.9M to bring machine learning to factory floors - Technical.ly Baltimore (Technical.ly Baltimore) Founded by NSA alum Lloyd Clark, the company is building its business at Fulton, Md.-based DataTribe.

The rise of the new crypto “mafias” (TechCrunch) Ash Egan Contributor Ash Egan leads crypto investing at Accomplice. He formerly was a VC at ConsenSys Ventures and Converge. In the early 2000s, journalists popularized the term “PayPal mafia” to describe the PayPal founders and employees who left to start their own wildly successful te…

How Apple dodged a privacy scandal (CRN Australia) Succeeding where Facebook did not.

Apple Moves Mac Pro Production to China (Wall Street Journal) Apple is making its new Mac Pro computer in China, shifting abroad production of what had been its only major device assembled in the U.S., even as trade tensions escalate between the U.S. and China.

How a Big U.S. Chip Maker Gave China the ‘Keys to the Kingdom’ (Wall Street Journal) Advanced Micro Devices revived its fortunes when it decided to help Chinese partners develop computer-chip technology. The deal sparked a prolonged battle with Washington over national security.

Huawei Personnel Worked With China’s Military on Research Projects (Bloomberg) Huawei says research was not authorized by the company. Employees collaborated on AI and communications with military.

Huawei shrugs off Verizon patent talks as 'common' business (U.S.) Huawei pegged its patent talks with U.S. carrier Verizon as "common" b...

Alphabet's cybersecurity company Chronicle is merging into Google's cloud business (CNBC) The move comes as Google Cloud CEO Thomas Kurian makes wide-ranging changes to the group as he surpasses six months on the job. Earlier this month, Kurian's group bought data analytics company Looker.

Alphabet's cybersecurity moonshot is coming to Google Cloud (CRN Australia) Chronicle to merge threat-detection tech with Google.

New York comptroller wants Zuckerberg out as Facebook chairman (Silicon Valley Business Journal) Tom DiNapoli, as trustee of the state retirement fund, oversees more than $1 billion in Facebook shares.

Mocana Joins CTIA and GSMA to Bring Mission-Critical Security Expertise to the Telecom Sector (West) End-to-End Device Security Leader Joins CTIA’s Cybersecurity and Smart Cities Business & Technology Working Groups

Products, Services, and Solutions

Denim Group’s ThreadFix Integrates with WhiteSource, Brings Comprehensive Management to Open Source Software Vulnerabilities (BusinessWire) Denim Group’s ThreadFix Integrates with WhiteSource, Brings Comprehensive Management to Open Source Software Vulnerabilities

Bsquare Selected by Arcus FM to Help Develop Distributed Intelligence Solution for Facilities Management in Retail (Yahoo) Bsquare Corporation (BSQR), a provider of next generation intelligent devices and systems, today announced an agreement with Arcus FM, a leading UK facilities management provider, to develop a distributed intelligence management solution to serve Arcus'

ProcessUnity Updates Intelligent Risk and Compliance Platform (ProcessUnity) ProcessUnity launched the latest version of its Risk and Compliance platform, adding intelligent capabilities to make users more effective and efficient.

MobileIron Research Reveals 8 in 10 IT Leaders Want to Eliminate Passwords and Expect Mobile Devices to Become Primary Authentication to the Enterprise (BusinessWire) MobileIron (NASDAQ:MOBL) today revealed the results of a survey conducted with IDG, which found that enterprise users and security professionals alike

CyberX Enhances Industrial Threat Intelligence with Automated Threat Extraction Platform (Yahoo) CyberX, the IoT and industrial control system (ICS) security company, today announced it has enhanced its specialized IoT/ICS threat intelligence.

Elysium Analytics Launches Global Partner Program (West) Program to deliver technical and strategic cybersecurity services, with tiered channel resale

Personal Capital Launches Bug Bounty Program with Bugcrowd (Yahoo) Today, digital wealth manager Personal Capital is launching a public bug bounty program with Bugcrowd, the No. 1 crowdsourced security company. The initiative will incentivize security researchers to hack a replica of the Personal Capital site to

Nixu Certification Ltd. accredited to audit high security information systems (Cision) In the fast-moving digital era, whether a company is building a space station or a simple digital platform - it is vital to be able to show that it has carefully considered the associated cybersecurity risks well beforehand and acted to mitigate them.

ID TECH’s VP3320 Receives the SCRP Certification from the PCI Security Standards Council (Digital Journal) ID TECH is a global leader in secure payment solutions that designs and manufactures a full range of PCI-certified PIN entry devices, PIN on Glass readers, chip card (EMV) readers and magstripe readers in addition to the acclaimed ViVOpay line of contactless payment products.

JASK Delivers Enhanced Cloud Workload Traffic Security Visibility with Amazon Web Services (Yahoo) JASK Offers Support for Amazon Virtual Private Cloud Traffic Mirroring Launched at AWS re:Inforce 2019

Jetico Launches Cloud-Based Central Management of Disk Encryption (BusinessWire) Jetico, long-trusted pioneer in encryption software, announced today the launch of Jetico Central Manager in the cloud, now available for BestCrypt Vo

Technologies, Techniques, and Standards

Intel, Arm team up to create new IoT standard for device onboarding (CRN Australia) Working to make sure devices are properly connected to the cloud.

How to Weather a Hack: Lessons from the Macron Leaks (Atlantic Council) Just days before the final round of France’s 2017 presidential election—and mere hours before a media blackout would muzzle all content on the campaign—hackers and online trolls released and promoted a dump of leaked e-mails from leading candidate...

Data Mapping & Discovery Tools Top Privacy Shopping Lists (Infosecurity Magazine) Data mapping and discovery tools top privacy purchase plans

Cybersecurity – It Takes an Engineer to Catch an Engineer (Infosecurity Magazine) How to use cyber-criminal behavior pattern knowledge to our advantage

Design and Innovation

Blockchain, AI Combine to Make an Internet of Smarter Things (Wall Street Journal) Hewlett Packard Enterprise is researching ways that artificial intelligence can make medical equipment, industrial robots and other internet-connected devices smarter while protecting data privacy.

When it comes to cybersecurity, perfection is the enemy of progress (Help Net Security) In infosec, perfection is the enemy of progress, says Lenny Zeltser. But It’s one thing to know about this maxim and another to internalize its wisdom.

Machine Identity Protection Development Fund (Venafi) Machine identity protection now and in the future enabling you to build machine identity intelligence into a wider range of your enterprise infrastructure

Facebook’s content oversight board plan is raising more questions than it answers (TechCrunch) Facebook has produced a report summarizing feedback it’s taken in on its idea of establishing a content oversight board to help arbitrate on moderation decisions. Aka the ‘supreme court of Facebook’ concept first discussed by founder Mark Zuckerberg last year, when he told Vox: [O…

Mark Zuckerberg Is Rethinking Deepfakes (The Atlantic) In an interview, the Facebook CEO hinted that the company is trying a new approach to misleading videos created through artificial intelligence.

We’re Updating Our Terms of Service to Better Explain How Facebook Works (Facebook Newsroom) People should have clear, simple explanations of how online services work and use personal information.

Twitter will now hide — but not remove — harmful tweets from public figures (The Verge) The platform has been criticized for letting politicians break the rules without consequence.

Opinion | A Major Police Body Cam Company Just Banned Facial Recognition (New York Times) Its ethics board says the technology is not reliable enough to justify using.

Is the digital identity layer missing or just misplaced? (CSO Online) The orchestration of existing services and data could provide a digital identity layer that gives the internet a common way to handle identity for all consumers.

Research and Development

Are heart electrocardiograms the next big thing in biometrics? (Naked Security) After fingers, the iris of the eye, ears and even lips, it was probably inevitable that someone would propose the human heart might be the next big thing in biometric security.

AT&T hopes quantum networking will amplify the power of quantum computing (CNET) A partnership with academic researchers is tackling the enormous challenges of moving quantum networks out of the lab and onto the internet.

Legislation, Policy and Regulation

Israel cyber spying helped foil terror attacks in ‘dozens’ of countries, PM says (Times of Israel) Netanyahu reveals intel was used to thwart midair explosion of Sydney-Abu Dhabi flight, says case can be multiplied by 50 to show Israel's contribution to cybersecurity

EU should ban AI-powered citizen scoring and mass surveillance, say experts (The Verge) New recommendations have also been criticized as lacking enforceability

One Senate panel’s idea to prioritize cybersecurity spending (Fifth Domain) The Senate's Permanent Subcommittee on Investigations has ideas to improve federal cybersecurity.

Open Forum: Data privacy rules should create consistency, not chaos (San Francisco Chronicle) There’s a broad consensus that internet users need privacy and data protections. But the power to make that law should rest with Congress, not states like California.

Analysis | The Cybersecurity 202: Democrats promise to punish Russian hacking as Trump seems to make light of it (Washington Post) The president joked with Putin in Japan.

Elizabeth Warren wants to overhaul U.S. election security (CyberScoop) Sen. Elizabeth Warren, D-Mass., released a plan focused on election security Tuesday that would replace every voting machine in the U.S. with “state-of-the-art” technology and require states to follow federal standards for federal elections.

My Plan to Strengthen Our Democracy (Team Warren - Medium) Elections are the foundation of our democracy, but in the United States — the greatest democracy in the world — our government treats voting like it’s one of the least important things we do.

Banning end-to-end encryption being considered by Trump team- 9to5Mac (9to5Mac) The Trump administration is considering the possibility of banning end-to-end encryption, as used by services like Apple's Messages and FaceTime ...

Trump officials weigh encryption crackdown (POLITICO) The provocative step would reopen a long-running feud between federal authorities and Silicon Valley.

Baltimore approves $10M in funding for cyber attack relief (Washington Post) Baltimore City officials approved using $10 million in excess revenue to cover the ongoing cost of the cyber attacks that immobilized some of the city’s systems almost two months ago

Litigation, Investigation, and Enforcement

Senate's Russia reports to start publishing in July (POLITICO) The committee has reviewed more than 300,000 pages of documents and conducted interviews with more than 200 witnesses.

Iran seizes 1,000 Bitcoin mining machines (BBC News) Large racks of the computers constantly mining Bitcoin have led to a spike in electricity consumption.

Huawei loses trade secrets case against US chip designer (CRN Australia) US jury clears CNEX Labs but awarded no damages on its own claims.

YouTube’s antics with kids’ data prompts call for FTC to force change (Naked Security) Sen. Markey and 2 consumer groups said the Google-owned service must comply with COPPA and should be held accountable for not doing so.

FTC crackdown targets operators behind 1 billion robocalls (Naked Security) It’s a drop in the “4.7 billion robocalls placed per month” bucket, but hey, it’s better than nothing!

Yandex hacked? More data exposures (fumbles and a hack). Golang miner. ShadowGate drive-bys. Des emails piratés? On s'en fiche.

Bring your own context.