The CyberWire Daily Briefing, 7.9.19

Cyber Attacks, Threats, and Vulnerabilities

Croatian government targeted by mysterious hackers (ZDNet) Government agencies targeted with never before seen malware payload — named SilentTrinity.

Malicious campaign targets South Korean users with backdoor-laced torrents (Posilan Ltd) ESET researchers have discovered a malicious campaign distributing a backdoor via torrents, with Korean TV content used as a lure Fans of Korean TV should be on the lookout for an ongoing campaign spreading malware via torrent sites, using South Korean movies and TV shows as a guise. The malware allows the attacker to connect …

Malicious campaign targets South Korean users with backdoor-laced torrents | WeLiveSecurity (WeLiveSecurity) ESET researchers dissect a malicious campaign that targets mainly South Korean users and spreads a backdoor via torrents, using local TV content as a lure.

Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! (Medium) Vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially…

Serious Zoom security flaw could let websites hijack Mac cameras (The Verge) Not good

Microsoft Discovers Fileless Astaroth Trojan Campaign (BleepingComputer) A fileless malware campaign used by attackers to drop the information stealing Astaroth Trojan into the memory of infected computers was detected by Microsoft Defender ATP Research Team researchers.

Microsoft warns about Astaroth malware campaign (ZDNet) New hard-to-detect Astaroth campaigns spotted using fileless execution and living-off-the-land techniques.

Report: Fieldwork Software Leaks Sensitive Customer Data (vpnMentor) vpnMentor‘s research team found a leak in the Fieldwork software database. Noam Rotem and Ran Locar, the heads of our cybersecurity research team, found ...

More than 1,000 Android apps harvest data even after you deny permissions (CNET) The apps gather information such as location, even after owners explicitly say no. Google says a fix won’t come until Android Q.

Dridex Banking Trojan, RMS RAT Dropped via Fake eFax Messages (BleepingComputer) Researchers from Cofense have discovered a new malspam campaign that delivers fake eFax messages designed to drop a banking Trojan and RAT cocktail via malicious Microsoft Word document attachments.

Superhuman’s Superficial Privacy Fixes Do Not Prevent It From Spying on You (Mike Industries) Last week was a good week for privacy. Or was it? It took an article I almost didn’t publish and tens of thousands of people saying they were creeped out, but Superhuman admitted they were wrong and reduced the danger that …

Who’s Behind the GandCrab Ransomware? (KrebsOnSecurity) The crooks behind an affiliate program that paid cybercriminals to install the destructive and wildly successful GandCrab ransomware strain announced on May 31, 2019 they were terminating the program after allegedly having earned more than $2 billion in extortion payouts from victims. What follows is a deep dive into who may be responsible for recruiting new members to help spread the contagion.

A City Paid a Hefty Ransom to Hackers. But Its Pains Are Far From Over. (New York Times) Weeks after Lake City, Fla., was hit by a cyberattack, the phones are back on and email is working, but the city has not yet recovered all its files.

The Scene: Pirates Ripping Content From Amazon & Netflix (TorrentFreak) Traditionally, a major source of high-quality pirate releases has been retail discs, such as Blu-ray or DVD. Today, torrent and streaming sites are regularly fueled by content culled from streaming services such as Netflix and Amazon. Known online as WEB releases, these files are the product of a decryption process using tools mostly not intended for public use.

Cortana and Alexa, helpful assistants or security threat? (The Jerusalem Post) Technion student says there is a major cyber security risk between the two.

3 ways IoT devices compromise security (Fifth Domain) The National Institute of Standards and Technology released a report detailing the cybe security and privacy risks associated with the Internet of Things.

Vulnerability Summary for the Week of July 1, 2019 (CISA) The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Hacker Ransom Demands From Cities Are Growing (The Crime Report) “It is quite profitable for the actors to conduct these sorts of attacks on victims,” said FBI agent Adam Lawson. “At the end of the day, people are paying the ransoms.” The FBI received nearly 1,500 ransomware reports last year.

Rampant Ransomware Attacks: How Cybercriminals Target Governments (WBUR) Across the country, cybercriminals are locking up local government files until ransom is paid. We look at the growing threat of ransomware attacks.

County cyber attack: Database still down, but costs covered (Citizens' Voice) The effects of a May cyber-attack on the Luzerne County computer network are still being felt, though nearly all costs the county incurred thus far should be covered by insurance, according to county Manager David Pedri. The county real estate database —

Social Engineering: The Non-technical Strategy to a Successful Cyber Attack (GC Capital Ideas) Cyber threat actors and their techniques have evolved, but most attacks still contain elements of social engineering. Without complex tools, software or extensive knowledge about the security platform, social engineering is an effective, non-technical strategy used by cyber criminals. It relies primarily on human interaction to gain trust and manipulates people into breaking standard security …

Tackling the Issue of Online Gaming Credential Stuffing (Security Boulevard) Issues in the gaming industry can provide lessons on the threats we face now and what could happen in larger, more critical industries.

Security Patches, Mitigations, and Software Updates

July Patch Tuesday forecast: Rules are changing for companies with custom applications (Help Net Security) Development components may even be an issue for companies who contract or purchase applications from a vendor.

Cyber Trends

Half of organisations don’t think their clients’ data is sensitive, research finds (Bdaily Business News) More than half of organisations believe their own data is more valuable than that of their clients, despite a rise…

State of Application Security at S&P Global World's 100 Largest Banks (Immuniweb) 97 out of 100 largest banks are vulnerable to web and mobile attacks enabling hackers to steal sensitive data.

They Kinda Want to Believe Apollo 11 Was Maybe a Hoax (New York Times) Conspiracy theories were once deadly serious. On the internet, skepticism about the moon landing shows how the mood has shifted.

Marketplace

Reports find new Huawei web flaws, plus troubling links to Chinese intelligence (BGR) Huawei continues to find itself on the wrong end of a sustained negative news cycle, with some of the latest revelations in new reports including assertions that new Huawei web application flaws ha…

Kaspersky Re-Ups With INTERPOL to Fight Global Cybercrime (Channelnomics) Move extends an agreement first inked by Russian vendor in 2014

Orange completes the acquisition of SecureLink, reinforcing its cybersecurity operations in Europe (Orange) Orange announces today that it has completed the acquisition of 100% of SecureLink, the leading independent cybersecurity player in Europe. Since signing a binding agreement with the investment fund Investcorp in May 2019, Orange has obtained approval from the relevant authorities enabling it to complete the transaction for an enterprise value of 515 million euros.

Is Broadcom (AVGO) a Step Closer to Acquiring Symantec? (Yahoo) Broadcom's (AVGO) expanding product portfolio positions it well to address the needs of rapidly growing technologies like IoT and 5G.

Symantec acquisition would give Broadcom a 'potent combination,' Jim Cramer says (CNBC) "If [interim Symantec CEO] Rick Hill can set off a bidding war, that would be the cherry on top," Jim Cramer says.

Virginia firm wins $35M contract for tech work at AFRL in Rome (Central New York Business Journal) The U.S. Department of Defense has awarded CACI Technologies Inc. of Chantilly, Virginia, a more than $34.8 million cost-plus-fixed-fee contract to develop and test software agility and resiliency software/hardware for the Air Force Research Laboratory (AFRL) in Rome.

Carbon Black: Attractive Buy Before Q2 Earnings (Seeking Alpha) Carbon Black reported a very strong Q1 earnings in early May, with revenue growing 21% and cloud revenue growing 80%. Despite the Q1 beat, management only slightly raised full year guidance, implying a conservative approach to the year. Valuation remains a little under pressure and relatively cheap compared to other faster-growth software security names.

Splunk Is Still A Great Buying Opportunity (Seeking Alpha) Splunk offers a platform that helps users derive new insights from machine data. The company has YoY revenue growth of 37.5%, positive free cash flow and scores quite well on the Rule of 40. It is fairly valued relative to other software stocks.

KnowBe4’s Year-Over-Year Sales Skyrocket 50% Over Q2 2019 for Another (PRWeb) KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced a significant year-over-year sales

CrowdStrike Stock Is Still Rallying as Wall Street Raves About Cloud-Based Security (Barron's) A wave of Wall Street analysts picked up coverage of the newly public cloud-based security software company on Monday.

Oppenheimer outlines bull case on CrowdStrike (Seeking Alpha) Oppenheimer was one of the firms that started off coverage on CrowdStrike (NASDAQ:CRWD) with a bullish rating on its expectation for hypergrowth of over 30%.

Here's what Wall Street thinks about CrowdStrike, an unprofitable cybersecurity firm that raised more than $600 million in its June IPO (CRWD) | Markets Insider (Business Insider) Several Wall Street firms initiated coverage of cybersecurity provider CrowdStrike on Monday. CrowdStrike raised $612 million in its IPO, and t...

Northrop Grumman Board Names Kathy J. Warden Chairman (Northrop Grumman Newsroom) The board of directors of Northrop Grumman Corporation (NYSE: NOC) has elected Kathy J. Warden as its chairman, effective August 1, 2019. Warden will serve as chairman, chief executive officer and president. Warden...

Products, Services, and Solutions

Zimperium Receives FedRAMP Authorization From US Federal Government (The Daily Nonpareil) Zimperium, the global leader in mobile threat defense (MTD), announced today that the Zimperium Federal Cloud has achieved a Federal Risk and Authorization Management Program (FedRAMP) Authorization.

Incident response at the speed of light: Cynet launches free offering for incident response service providers (Help Net Security) Cynet offers IR service providers to collect data, investigate and remediate threats on their customers’ environments with Cynet 360 platform for free.

Technologies, Techniques, and Standards

Cyber security risk ratings cannot accurately assess cyber risk across industrial ecosystems (Control Global) According to the Bitsight report, security ratings allow the electric utilities industry to accurately assess risk across their business ecosystem. However, cyber security ratings currently can’t address control system cyber security yet control systems are existential for any industrial organization. Until there is better understanding of the control system cyber risks, security ratings for industrial organizations are meaningless.

European power grids cooperate on cyber-security (SC Magazine) Aurélio Blanquet, the recently elected Chair of the European Network for Cyber Security (ENCS ) Assembly Committee, calls for harmonisation and cooperation, particularly to close skills gap.

At GDPR’s One Year Mark, Continued Compliance Efforts are Key and Can Help with CCPA Compliance (Cooley) With the EU General Data Protection Regulation (the “GDPR”) now over a year old, companies may feel that their data privacy challenges have settled down and that their GDPR work is complete. …

Security Industry Association Releases ANSI-Approved CP-01 False Alarm Reduction Standard (Security Industry Association) SIA CP-01-2019 improves on the 2014 version and adjusts for current technologies; the new standard aims to reduce unnecessary police dispatches.

Mobile Device Authentication with Biometric-Based Access Bridges the Gap Between High-Security and Low-Friction, According to New Research | MobileIron.com (MobileIron) EMA research, sponsored by MobileIron, reveals mobile devices are the future of digital ID; 84% of organizations plan to adopt new authentication solutions within next two years

Lost in Transaction: The end of risk? (Paysafe) Will biometrics replace passwords for online payment authentication in 2019?

Attackers turn the tables on incident response strategies (SearchSecurity) Incident response strategies are not enough to protect against attackers who have incident response counterstrategies. Find out how attackers persevere against well-prepared targets and how to keep the upper hand.

I tried and failed to quit Facebook. Here’s what I did instead (Fast Company) Despite Facebook’s annoyances and privacy violations, abandoning the largest community in human history may have more downsides than benefits.

Design and Innovation

Fingerprint On The Pulse: Biometrics On The Move In More Places Than One (Fingerprints) We may be halfway through 2019, but as the year hurtles onwards, it’s important to pause and reflect on the latest and greatest news from Q2.

Frank Abagnale Jr: cyber security will be an issue "until we get rid of passwords" (Information Age) How can organisations beat malware? Frank Abagnale Jr, the former con man, says we don't stand a chance "until we get rid of passwords".

ISPs call Mozilla ‘Internet Villain’ for promoting DNS privacy (Naked Security) ISPA has shortlisted Mozilla for the sort of award that, on the face of it, no tech company should be keen to win – 2019’s Internet Villain.

Our Commitment to Lead the Fight Against Online Bullying (Instagram) Our mission is to connect you with the people and things you love, which only works if people feel comfortable expressing themselves on Instagram. We know bullying is a challenge many face, particu…

Inside Facebook’s information warfare team (Silicon Valley Business Journal) The social media giant’s ‘info ops’ team is at the frontline of its war on disinformation. Staffed by former intelligence operatives, investigative journalists and hackers the team has become increasingly slick.

How Facebook Fought Fake News About Facebook (Bloomberg) Polling data and secretive projects – ‘Stormchaser’ and ‘Night’s Watch’ – helped the social media giant track public sentiment, and respond to it

If News Recommendation Algorithms Feel Broken, Try This App (WIRED) In an attempt to combat the echo-chamber effect of algorithm-driven news apps, the new iOS app Gem takes a unique approach to recommendations.

Research and Development

BAE nets $4.7M by DARPA to integrate machine learning into RF signals detection (UPI) The Defense Advanced Research Projects Agency has awarded BAE Systems a contract worth up to $4.7 million to integrate machine learning into intelligence gathering involving radio frequency signals.

Legislation, Policy and Regulation

Finland brings cybersecurity to the fore as EU presidency commences (The Daily Swig) Hybrid security exercises planned to counter threats

Iran Launches New Military Command And Control Unit To Withstand U.S. Cyberattack (Forbes) Last month the U.S. used a cyber attack to compromise Iran's command and control systems. Now Teheran has launched a new battlefield communications system it claims is impervious to a repeat attack.

US criticism of ZTE project ‘very absurd’: Chinese Foreign Ministry (Global Times) China dubbed US criticism of a project by Chinese telecommunications company ZTE in Argentina irrational and absurd on Monday, saying the monitoring device deal should not be politicized for ulterior motives.

The Huawei threat: China considers data to be critical national infrastructure (TheHill) As large tech companies and totalitarian regimes perfect their ability to aggregate and harness data, they will better influence social behavior.

India doubts Huawei’s 5G security promises, but U.K. carriers all buy in (VentureBeat) Despite U.S. concerns over Huawei's telecom gear, the heads of foreign allies are at best mixed on whether to ban the inexpensive, ready-to-go hardware.

Facebook and Twitter have not been invited to White House social media summit, sources say (CNN) The White House has not extended invitations to Facebook and Twitter to attend its social media summit on Thursday, people familiar with the matter said.

NSA Releases Semi-Annual Report to Congress (Lawfare) The National Security Agency’s Office of the Inspector General released an unclassified version of its mandatory semi-annual report to Congress covering Oct. 1, 2018 to March 31, 2019. The full document is available here below.

NSA Isn’t Always Following Its Own Cybersecurity Policies, Watchdog Says (Nextgov.com) The NSA Inspector General found the agency has “room for improvement” in every IT security category outlined in FISMA.

NSA Still Grappling With Controls to Guard Against Surveillance Abuse (Government Executive) Watchdog also finds gaps in security of internal data systems.

Litigation, Investigation, and Enforcement

British Airways Hit With Record Fine Following 2018 Cyberattack (Forbes) BA is facing a record fine, showing the true cost of GDPR. Here’s what it means for the company, its investors and others who are hit by a cyberattack.

British Airways vows to fight record £183m data breach fine (The Telegraph) British Airways has vowed to fight a record fine of £183m for a customer data breach last year.

Finally, a watchdog with teeth: BA’s £183m fine shows that the ICO means business (The Telegraph) How do you know today's £183m fine on British Airways for a huge data theft from its website is a landmark ruling?

How The British Airways Breach Will Reveal The True Cost Of GDPR (Forbes) British Airways is the first major test case for ICO GDPR fines. What can we expect?

Dark web takedowns make good headlines, do little for security (CSO Online) Shutting down dark web marketplaces looks and feels good, but it hasn't significantly reduced risk. Worse, it drives cybercriminals to harder-to-track channels.

Security software company Eset sues Smer MP Blaha (Slovak Spectator) The company wants to protect its reputation from statements and videos Blaha has issued.

Lessons From An Israeli Company's Cybertech Patent Litigation (Mondaq) With origins dating back to 1996 and claiming more than $350 million in patent licensing revenue, Finjan Holdings is a frequent plaintiff in U.S. patent litigation. United States Intellectual Property Finnegan, Henderson, Farabow, Garrett & Dunner, LLP 9 Jul 2019

Zoom for Mac bug. Astaroth is out. GoBot2 delivered by torrent. British Airways' GDPR fine. NSA IG reports.

Bring your own context.