The CyberWire Daily Briefing 1.17.19

Cyber Attacks, Threats, and Vulnerabilities

Hackers breach and steal data from South Korea's Defense Ministry (ZDNet) Government says hackers breached 30 computers and stole data from 10.

Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations (Forbes) FBI files dating back to 2012 leaked by the Oklahoma Securities Commission. Cybersecurity researchers warn of a major compromise of sensitive government data.

Trisis investigator says Saudi plant outage could have been prevented (CyberScoop) A researcher who responded to the attack on Saudi petrochemical plant says the initial incident was not thoroughly investigated.

Fake editions of The Washington Post handed out at multiple locations in D.C. (Washington Post) The print papers were filled with anti-Trump stories, which also appeared on a website that mimicked the official Post site.

An Astonishing 773 Million Records Exposed in Monster Breach (WIRED) Collection #1 appears to be the biggest public breach yet, with millions of unique passwords sitting out in the open.

Out of Commission: How the Oklahoma Department of Securities Leaked Millions of Files (UpGuard) A storage server configured for public access exposed millions of files belonging to the Oklahoma Securities Commission.

Inadvertent Exposure of Archived Data (Oklahoma Department of Secuirties) The Oklahoma Department of Securities (ODS) has initiated a comprehensive review of the circumstances surrounding an incident involving the inadvertent exposure of information during installation of a firewall.

New Magecart Attack Delivered Through Compromised Advertising Supply Chain (TrendLabs Security Intelligence Blog) We looked into Magecart's latest online skimming activity: injecting malicious code to the JavaScript library of a third-party advertising network.

Now That's Fake News: The Ironic Reason Activists Handed Out Phony Washington Post Newspapers (Fortune) "Unpresidented" read one headline about Donald Trump's supposed resignation from office.

Anti-Trump Activists Defend Fake-Washington Post Stunt (WIRED) Protesters have created satirical newspapers before, but the tactic comes with more baggage in the era of fake news.

LoJax: Fancy since 2016 (NETSCOUT Threat Intelligence) In May of last year, ASERT Researchers reported on LoJax, a double-agent leveraging legitimate software to phone home to malicious command and control (C2) servers. Since the publication of our research, we’ve monitored a number of new malware samples and additional research we believe Fancy Bear (APT28) operators use as part of their toolkit.

Hackers Can Abuse Legitimate Features to Hijack Industrial Controllers (SecurityWeek) Hackers can abuse legitimate features present in industrial controllers to hijack these devices and gain a foothold in a network, a researcher warns.

Your Garage Opener Is More Secure Than Industrial Remotes (BankInfo Security) Radio controllers used in the construction, mining and shipping industries are vulnerable to hackers, Trend Micro says in a new report. To address the issue,

Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations (Tend Micro) Radio frequency (RF) technology is being used in operations to control various industrial machines. However, the lack of implemented security in RF communication protocols could lead to production sabotage, system control, and unauthorized access.

A Security Analysis of Radio Remote Controllers for Industrial Applications (Trend Micro) Radio frequency (RF) remote controllers are widely used in manufacturing, construction, transportation, and many other industrial applications. Cranes, drills, and miners, among others, are commonly equipped with RF remotes. Unfortunately, these devices have become the weakest link in these safety-critical applications, characterized by long life spans, high replacement costs, and cumbersome patching processes. Given the pervasive connectivity promoted by the Industry 4.0 trend, we foresee a security risk in this domain as has happened in other fields.

NanoCore Trojan is protected in memory from being killed off (ZDNet) If you are infected with this malware, you might find it is more difficult to eradicate than standard Trojans.

.Net RAT Malware Being Spread by MS Word Documents (Fortinet Blog) Fortinet’s FortiGuard Labs captured a malicious MS Word document from the wild that contains auto-executable malicious VBA code that can spread and install NanoCore RAT software on a victim’s Windo…

Million damage: Criminals extort companies with new malicious software (Insider) The Federal office for information security (BSI) warns strongly against a young, but dangerous pest – the comes across an old acquaintance. The Malware will download other Trojan, and can then cause in a corporate network, a lot of damage.

Ryuk ransomware poses growing threat to enterprises (SearchSecurity) Research from CrowdStrike and FireEye refute reports that North Korea is behind the Ryuk ransomware, and CrowdStrike said Russian-speaking cybercrime group known as Grim Spider is behind the attacks on enterprises.

Cryptomining Malware Uninstalls Cloud Security Products (Threatpost) New samples of cryptomining malware performs a never-before-seen function: uninstalling cloud security products.

The Rise and Fall of Ashiyane - Iran's Foremost Hacker Forum (SecurityWeek) A new from Recorded Future looks at the rise and fall of Ashiyane -- Iran's first and foremost security forum -- and its figurehead, Behrooz Kamalian.

Lockheed Martin executive: Reported Navy hack did not impact Aegis Common Source Library (InsideDefense.com) A recently reported hack of Navy contractors did not affect Lockheed Martin's Aegis Common Source Library, according to a company executive.

I can get and crack your password hashes from email (CSO Online) Malicious hackers can use a simple trick to get your Windows computer to authenticate to a remote server that captures your password hash — just by sending you an email. Take these steps to test for the vulnerability.

ThinkPHP Exploit Actively Exploited in the Wild (Akamai) While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with. Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a...

Decrypted Telegram bot chatter revealed as new Windows malware (TechCrunch) Sometimes it take a small bug in one thing to find something massive elsewhere. During an investigation recent, security firm Forcepoint Labs said it found a new kind of malware that was found taking instructions from a hacker sending commands over the encrypted messaging app Telegram . The researc…

Be Careful Using Bots on Telegram (WIRED) Introducing a bot to a secure Telegram conversation downgrades the level of encryption—without providing any visual cues.

Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics (TrendLabs Security Intelligence Blog) Malicious apps on Google Play were trying to drop the Anubis banking malware on unsuspecting users. They were also using an innovative new evasion tactic.

Are you sure those WhatsApp messages are meant for you? (Naked Security) Abby Fuller got a shock when she logged into WhatsApp using a new telephone number. She found someone else’s messages waiting for her.

More .gov Domains Hit by Government Shutdown (SecurityWeek) The number of US government domains for which security certificates were left to expire due to the government shutdown has exceeded 130. One impacted domain belongs to the White House.

Government Shutdown Puts U.S. at Major Hacking Risk, Cybersecurity Experts Warn (Fortune) "We have laid out the welcome mat to any and all nefarious actors."

Analysis | The Cybersecurity 202: Government cyber workers increasingly concerned hackers will strike during shutdown (Washington Post) A furloughed worker says a bare-bones staff isn't enough.

Security Patches, Mitigations, and Software Updates

Oracle Critical Patch Update - January 2019 (Oracle) A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes.

Intel patches another security flaw in SGX technology (Naked Security) Of the six advisories Intel released last week, the most interesting is a flaw discovered in the company’s Software Guard Extensions (SGX).

Cyber Trends

WEF: Cyber Attacks a Major Global Risk for Next Decade (Infosecurity Magazine) Annual report reveals continued concerns over online theft and disruption

2019 Study on America’s Relationship with Cybercrime (ERP Maestro) Years ago, theft concerned one of two things: money or property. In the digital age, lines have blurred.

IoT Security Is (Still) a Gigantic Mess (PCMAG) Over half of companies still can't detect Internet of Things breaches, and a majority of consumers fear a lack of privacy with IoT devices, according to Gemalto's State of IoT Security report.

Marketplace

Filling the Growing Cyber Workforce Gap (SIGNAL Magazine) Rob Joyce, senior cyber advisor to the director, NSA, tells attendees at CERTS that there needs to be systemic changes to fill the cyber talent gap.

Analysis | The Cybersecurity 202: A bump in Washington-area cyber startups could bring new blood to government (Washington Post) Venture capital funding for D.C. cyber firms is up 50 percent since 2015.

Why You Should Consider the NSA’s Commercial Solutions for Classified Program (Technology Solutions That Drive Government) The program certifies commercial tools defense and intelligence agencies can use to build encrypted networks and helps streamline IT footprints.

Marriott looks to reboot loyalty plan after cyber attack (Channel NewsAsia) Marriott International Inc on Wednesday unveiled a new brand name for its loyalty programs, as the hotel chain looks to rebuild its image ...

FBI Awards Salient CRGT $40M Cyber Contract | WashingtonExec (WashingtonExec) The FBI has awarded Salient CRGT a $40.1 million prime contract for cybersecurity services, the company announced. Under the task order, awarded under the

These 3 software companies are good bets during a slowdown, says Morgan Stanley (CNBC) Morgan Stanley highlights three software stocks that can outperform even during a "slowing macro environment," thanks in part to a focus on recurring revenue streams.

ExtraHop Blows Past the $100 Million Milestone Fueled by 10x Growth in Security (ExtraHop) Enterprise Security Analytics Company Poised for a Breakout 2019 with Continued Innovation, GTM expansion, and a Spate of Industry Recognition

CenturyLink Adds Singapore to Global Security Operations Center Footprint (MediaRoom) As the global threat landscape continues to increase in size and complexity, so does the number of add-on security solutions designed to address these challenges. In response, enterprises around...

Thales and Wales Partner to Build £20 Million National Digital Centre (Computer Business Review) The Welsh government has entered into a partnership with French technology and security company Thales Group to deliver a cyber research...Thales and Wales

BAE Systems to open office in expanded Georgia cyber centre (Jane's 360) BAE Systems has announced that it plans to lease an office within the Georgia Cyber Center in Augusta, which has just been expanded to encourage more companies to invest in the growing industry within the US state. The company said that by locating itself at the centre, which boasts having received

Noblis Names Rich Jacques Vice President of Intelligence (Benzinga) Noblis, Inc., a leading provider of science, technology, and strategy services, is pleased to announce that Rich Jacques has...

Deep Instinct Continues Momentum in ANZ With New Hires and Business Wins (BusinessWire) Deep Instinct, the first company to apply deep learning to cybersecurity, today announced the company’s continued growth, expansion and investment in

Products, Services, and Solutions

Cofense Launches MSSP Program to Provide Essential Phishing Defense Capabilities to Small and Midsized Businesses (PR Newswire) Today Cofense™, the leading provider of human-driven phishing defense solutions world-wide, launched its Managed...

Pulse Secure launches new vADC Community Edition to help developers build smarter applications for container and cloud platforms (GlobeNewswire News Room) Free to use virtual Application Delivery Controller (vADC) software offers a robust, agile platform for software developers with seamless transition into production environments

Cybeats Releases IoT Security App on Palo Alto Networks Framework (SDxCentral) The Cybeats IoT Radar app provides internal defense, monitoring, and lifecycle management directly to IoT devices.

Gemalto to Produce Secure and Innovative Healthcare Cards for Quebec (BusinessWire) Gemalto (Euronext NL0000400653 - GTO), the world leader in digital security, and the Société de l'assurance automobile du Québec (SAAQ) have been chos

Technologies, Techniques, and Standards

Why it's So Hard to Implement IoT Security (SecurityWeek) IoT security is a tough challenge — involving everything from hard to implement standards; hard to reach industrial components; and choices on how to integrate security around both older “brownfield” and newer IoT systems and equipment.

In the Era of Electronic Warfare, Bring Back Pigeons (War on the Rocks) On April 16, 1919, the troop transport Ohioan docked at Hoboken, New Jersey. Among the various disembarking members of the American Expeditionary Forces

Building your forensic analysis toolset (CSO Online) Every security team should have these types of digital forensics tools available. Many are free, and there are enough options to find one that suits your skills and approach.

Threatpost Survey Says: 2FA is Just Fine, But Go Ahead and Kill SMS (Threatpost) Our reader poll showed overwhelming support for 2FA even in the wake of a bypass tool being released — although lingering concerns remain.

Design and Innovation

Siemens is beating hackers at their game (Manufacturers' Monthly) Siemens’ cybersecurity experts are taught to “think like a hacker” as a means to stay ahead of an ever-growing number of cyberattacks.

Facebook's '10 Year Challenge' Is Just a Harmless Meme—Right? (WIRED) Opinion: The 2009 vs. 2019 profile picture trend may or may not have been a data collection ruse to train its facial recognition algorithm. But we can't afford to blithely play along.

Three quarters of Facebook users unaware of how much it knows about them (The Telegraph) Most Facebook users don't realise how much Facebook knows about them and are uncomfortable with it when they find out, research suggests.

Research and Development

DARPA awards GrammaTech $8.4m for autonomous cyber hardening technology (New Electronics) GrammaTech, a developer of commercial embedded software assurance tools and advanced cybersecurity solutions, has been awarded a $8.4 million, 4-year contract from Defense Advanced Research Projects Agency (DARPA), an agency of the US Department of Defense.

Academia

Stephenson Technologies launches cybersecurity partnership with Israeli firm (Baton Rouge Business Report) LSU’s applied research corporation Stephenson Technologies is partnering with Israel-based Check Point Software Technologies to develop cybersecurity training programs.

Legislation, Policy and Regulation

Polish PM urges allies to spend more on cybersecurity (Polskie Radio dla Zagranicy) Poland’s prime minister on Wednesday urged allies to increase spending on cyber security, a news agency reported.

Polish Prime Minister Urges Allies to Beef Up Cybersecurity Budgets (Atlantic Council) Polish Prime Minister Mateusz Morawiecki on January 16 called for a collective Western response to cyber threats while urging allies to increase spending on cybersecurity. “I call on you today and encourage your leaders and governments to spend...

US cyber commander warns countries to ‘wise up’ over the threat of cyber attacks (First News) A former Commander General in the United States Cyber Command (USCYBERCOM) has said that tougher regulations are needed by countries to combat cyber attacks.

Sweden to train 'cyber soldiers' during military service (The Local) The Swedish Armed Forces will increase the number of military conscripts from next year, and for the first time will train 'cyber soldiers' to defend the country from possible cyber attacks.

China’s first steps before going to battle (C4ISRNET) A new report released by the Defense Intelligence Agency explains why the Chinese military could target command and control systems before any conflict begins.

3 ways China’s military could use cyber in war (Fifth Domain) A new report articulates how China might use cyber capabilities during a conflict.

U.S. official cautions Israel over Chinese investments (Reuters) A U.S. official cautioned Israel on Wednesday over investments from China, citin...

China calls proposed U.S. legislation against Huawei, ZTE 'hysteria' (U.K.) China's Foreign Ministry said on Thursday that proposed U.S. legislation ta...

U.S. legislation steps up pressure on Huawei and ZTE, China calls... (Reuters) A bipartisan group of U.S. lawmakers introduced bills on Wednesday that would ba...

Cotton, Van Hollen, Gallagher and Gallego Introduce Bill to Impose Denial Orders on Chinese Telecom Companies That Violate U.S. Sanctions (Senator Tom Cotton) Senator Tom Cotton (R-Arkansas), Senator Chris Van Hollen (D-Maryland) and Representatives Mike Gallagher (R-Wisconsin), Ruben Gallego (D-Arizona) introduced the bipartisan Telecommunications Denial Order Enforcement Act to direct the President to impose denial orders banning the export of U.S. parts and components to Chinese telecommunications companies that are in violation of U.S. export control or sanctions laws.

Joe Lieberman Called Chinese Telecom Giant ZTE a National Security Threat. Now He’s a Lobbyist for It. (The Daily Beast) The former senator says he can better serve his new client precisely because he was once a critic.

How the US Chooses Which Zero-Day Vulnerabilities to Stockpile (Dark Reading) When it comes to acceptable circumstances for government disclosure of zero-days, the new Vulnerabilities Equity Process might be the accountability practice security advocates have been waiting for.

Litigation, Investigation, and Enforcement

Federal Prosecutors Pursuing Criminal Case Against Huawei for Alleged Theft of Trade Secrets (Wall Street Journal) U.S. prosecutors are pursuing a criminal investigation of China’s Huawei Technologies for allegedly stealing trade secrets from U.S. business partners.

Huawei Connection: The Trail of Documents (Security Boulevard) News of additional Huawei bad behavior, via Steve Stecklow, Babak Dehghanpisheh, James Pomfretall (and additional reporting by Nadia El-Gowely, Bozorgmehr Sharafedin and Shadia Nasralla) all writing for Reuters, exposes the questionable activities of Huawei in Iran and Syria and detailed in documents now held by US law enforcement authorities. Bad behavior, indeed.

Barr hearing: Feinstein says she won’t vote for attorney general nominee unless he promises to release Mueller report (Washington Post) The comment from the Senate Judiciary Committee’s top Democrat came on the second day of William Barr’s confirmation hearing.

Trump Must Be a Russian Agent; the Alternative Is Too Awful (WIRED) We know a lot about the “what” of the Mueller probe’s findings. The crucial questions now focus on the “why.”

Rick Gates Tells Mueller About Trump Team's Dealings With Israeli Intelligence Firm (The Daily Beast) Psy Group delivered plans for ‘social media manipulation’ in 2016 and the special counsel is digging in as part of his probe into Mideast influence.

Republican Committee Leaders Probe Wireless Carriers and Third Parties Over Location Sharing Practices (Energy and Commerce Committee) House Energy and Commerce Committee leaders today sent letters requesting information from six companies about the sale and misuse of cell phone geolocation data. The letters were sent to Zumingo, Microbilt, T-Mobile, AT&T, Sprint, and Verizon. The letters seek to increase transparency surrounding how U.S. wireless carriers and third parties are accessing, …

Sprint to Stop Selling Location Data to Third Parties After Motherboard Investigation (Motherboard) After AT&T and T-Mobile said they would stop selling their customers’ phone location data to third parties, Sprint followed suit. A Motherboard investigation found all three telcos selling data that ultimately ended up in the hands of bounty hunters.

IG Cites Several Cybersecurity Concerns for the NSA (Meritalk) On Tuesday, the Office of the Inspector General (OIG) released a semi-annual report of the National Security Agency (NSA) to Congress that cited several security concerns for the agency’s technology and data.

“Stole $24 Million But Still Can’t Keep a Friend” (KrebsOnSecurity) Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims.

New case against Huawei? New Magecart campaign under way. RF controller issues. NanoCore is stubborn. Data exposure.