The CyberWire Daily Briefing, 7.24.19

Cyber Attacks, Threats, and Vulnerabilities

FSB hackers drop files online (Naked Security) A hacking group that distributed files stolen from a Russian contractor to the media last week has published some of the documents online.

Chances of destructive BlueKeep exploit rise with new explainer posted online (Ars Technica) Slides give the most detailed publicly available technical documentation seen so far.

APT34 spread malware via LinkedIn invites (SC Media) FireEye researchers identified a phishing campaign conducted by APT34 masquerading as a member of Cambridge University to gain their victim's trust to open malicious documents.

Cybercrime gang adds new tactics to credit card data-stealing campaign (ZDNet) FIN8 is distributing new malware as part of its ongoing goal of stealing and selling payment information from customers of retailers and the hospitality sector.

ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling (Gigamon ATR Blog) FIN8 is a financially-motivated threat group originally identified by FireEye in January of 2016, with capabilities further reported on by Palo Alto Networks’…

Vigilante Hacker ‘Phineas Fisher’ Denies Working for the Russian Government (Vice) In a new book, a veteran cybersecurity reporter wrote that the infamous hacker who embarrassed surveillance vendors FinFisher and Hacking Team may be a Russian government agent. We caught up with Phineas Fisher and broke down the evidence.

Citrix Confirms Password-Spraying Heist of Reams of Internal IP (Threatpost) Security experts say the attack stemmed from weak cybersecurity controls.

Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways - Cofense (Cofense) The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work. Email Body: The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel...

Remote code execution vulnerability in VLC remains unpatched (ZDNet) The bug is present in VLC’s latest release.

GE Aestiva and Aespire Anesthesia (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: GE Equipment: Aestiva and Aespire Anesthesia Vulnerability: Improper Authentication 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSMA-19-190-01 GE Aestiva and Aespire Anesthesia published July 9, 2019, on the ICS webpage on us-cert.gov.

NREL EnergyPlus (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.1 ATTENTION: Low skill level to exploit Vendor: National Renewable Energy Laboratory (NREL) Equipment: EnergyPlus Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code or cause a denial-of-service condition.

Mitsubishi Electric FR Configurator2 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.1 ATTENTION: Low skill level to exploit Vendor: Mitsubishi Electric Equipment: Mitsubishi Electric FR Configurator2 Vulnerabilities: Improper Restriction of XML External Entity Reference, Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of these vulnerabilities may enable arbitrary files to be read or cause a denial-of-service condition.

Emotet: A Technical Analysis of the Destructive, Polymorphic Malware (Bromium) Emotet is a modular loader that was first identified in the wild in 2014.[1] Originally Emotet was a banking Trojan designed to steal financial information from online banking sessions through man-in-the browser (MITB) attacks, but since 2017 it has been observed distributing other malware families, such as IcedID, Zeus Panda and TrickBot.[2] The malware has been actively developed, with each new version changing or extending its capabilities.

BEC Scammers Trick Employees Into Giving Away Customer Info (BleepingComputer) BEC scammers are now targeting a company's customers using a new indirect attack method designed to collect information on future scam targets by asking for aging reports from collections personnel.

COModo: From Sandbox to SYSTEM (CVE-2019–3969) (Medium) Antivirus (AV) is a great target for vulnerability hunting: Large attack surface, complex parsing, and various components executing with…

Comodo Antivirus Multiple Vulnerabilities (Tenable®) Multiple vulnerabilities were discovered in Comodo Antivirus / Comodo Antivirus Advanced. The following vulnerabilities were verified to be present in version 12.0.0.6810 of Comodo Antivirus, except CVE-2019-3973, which only affects versions up to 11.0.0.6582.

Flaws in widely used corporate VPNs put company secrets at risk (TechCrunch) Researchers have found several security flaws in popular corporate VPNs which they say can be used to silently break into company networks and steal business secrets. Devcore researchers Orange Tsai and Meh Chang, who shared their findings with TechCrunch ahead of their upcoming Black Hat talk, sai…

US Troops Using Russia-Connected FaceApp Urged to Be Cautious (Military.com) Senate minority leader Chuck Schumer wants a congressional investigation into FaceApp.

Deliveroo Accounts Are Being Hacked And Sold For Just $6 (Forbes) Hackers making big bizarre orders from stolen Deliveroo accounts, like a £150 order of ice cream and cakes.

Your Android’s accelerometer could be used to eavesdrop on your calls (Naked Security) Researchers have created an attack called Spearphone that uses the motion sensors in Android phones to listen to phone calls, interactions with your voice assistant, and more.

Lancaster University students’ data stolen in cyber-attack (the Guardian) Records and ID documents accessed and fake invoices sent in ‘malicious’ hack

Lancaster University phishing attack demonstrates vulnerability of higher education sector (SC Magazine) A data breach at Lancaster University exposed data including undergraduate applicant information and student records

Security Patches, Mitigations, and Software Updates

Google bans DarkMatter certificates from Chrome and Android (ZDNet) Mozilla previously banned DarkMatter certificates from Firefox at the start of the month.

Cyber Trends

IBM Study Shows Data Breach Costs on the Rise; Financial Impact Felt for Years (IBM News Room) IBM (NYSE: IBM) Security today announced the results of its annual study examining the financial impact of data breaches on organizations. According to the report, the cost of a data breach has...

Corporate Mobile Security Isn’t Cutting It | RSA Conference (RSA Conference Blog) Corporate Mobile Security Isn’t Cutting It

Beyond the Phish 2019 (Proofpoint) A strong cybersecurity posture has many facets.

Marketplace

Startup Foundry DataTribe Announces Second-Annual Cybersecurity Startup Challenge (PRWeb) DataTribe, a global cyber foundry that invests in and co-builds next-generation cybersecurity and data science companies with nation-state experienced technical

Norsk Hydro cyber attack could cost up to $75m (ComputerWeekly.com) March 2019 ransomware attack could cost Norwegian aluminium giant up to $75m in the first half of the year, according to latest estimates.

Bitglass Announces Expansion Into Japan and Canada With New Offices and Strategic Hires (Yahoo) Bitglass, the Next-Gen CASB company, has just announced its expansion into two new markets with the opening of regional offices in Toronto, Canada as well as Tokyo, Japan. At the helm of the regional expansions are David Newall, Canada Country General Manager, and Yasuyuki Shinmen, Japan Country General

DarkMatter Group Expands Its Leadership Team (PR Newswire) Newly appointed EVP of Secure Solutions and EVP of Cyber Defense will play a vital role in delivering DarkMatter's smart and safe digital journey...

Products, Services, and Solutions

ThetaRay 4.0 With IntuitiveAI Gives Banks a Powerful New Weapon Against Financial Cybercrime (Yahoo) ThetaRay, a leading provider of AI-based Big Data analytics, today announced Version 4.0 of the company's namesake advanced analytics platform. ThetaRay's IntuitiveAI solutions replicate the powerful decision-making capabilities of human intuition to detect

Exabeam Security Management Platform Products Approved for Phase IV of the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program (Exabeam) The DHS’s CDM program helps strengthen the cybersecurity of government networks and systems

SearchLight's Biggest Ever Update: New Ways to Discover, Contextualize, and Prioritize Digital Risks (Digital Shadows) Since founding the company in 2011, we've had some memorable milestones: from the first release of SearchLight in 2014, to being named the Leader in Digital Risk Protection by Forrester in 2018. However, today's release marks the biggest and most exciting landmark to date.

WatchGuard Speeds Zero Day Malware Breach Detection from Months to Minutes (West) New AI-based breach mitigation capabilities enable IT solution providers and midsized businesses to automatically detect and remediate zero day threats and evasive malware within minutes

Authentic8 aims to protect DoD with secure browser (Intelligence Online) Californian start-up Authentic8 is looking to establish itself as the Pentagon main supplier of isolated web browser, as part of the security overhaul led by the Defense Information Systems Agency

Centrify Brings Enterprise-Grade Privileged Access Management to SMBs with Free Tier Password Vault (Yahoo) Centrify, a leading provider of cloud-ready Zero Trust Privilege to secure modern enterprises, today announced a free cloud-based Privileged Access Management (PAM) offering for the more than half of organizations that do not have a password vault. Centrify’s Free Tier Vault is available immediately

ThetaRay offering uses AI against financial cybercrime (Security Brief) ThetaRay version 4.0 enable banks to pinpoint activity that suggests money laundering, terrorist financing, human and drug trafficking, and other financial crimes.

Thycotic Launches High-Velocity Vault for Securing Access to DevOps Environments (Yahoo) New Product Centrally Stores and Controls Passwords and Secrets Used to Access Applications and Code WASHINGTON , July 23, 2019 /PRNewswire/ -- Thycotic , provider of privileged access management (PAM) ...

D3 Security Creates First Proactive Response Platform by Bringing Together SOAR and the MITRE ATT&CK Framework (BusinessWire) D3 Security has released ATTACKBOT, a unique solution that utilizes the MITRE ATT&CK framework to identify and address the entire kill chain.

Exabeam Security Management Platform Products Approved for Phase IV of the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program (BusinessWire) Exabeam, the Smarter SIEM™ company, today announced that multiple Exabeam Security Management Platform (SMP) products have been approved for Data Prot

Built Like a TANK! Aertight Systems, Inc. Releases a Revolutionary New Wall-Mount, Rugged, Modular, Microsoft Windows Server That Replaces Rack and Tower Servers. (PR Newswire) Aertight Systems, Inc. announces the AERTIGHT™ Server Platform, its new line of rugged, all-in-one Microsoft...

Technologies, Techniques, and Standards

Europe seeks to harmonise smart grid security requirements (Smart Cities World) Baseline cyber-security requirements for smart meters and data concentrators have been announced which aim to raise standards across the industry.

‘Golden Age Of SIGINT May Be Over’: New Encryption Foils IC Eavesdropping (Breaking Defense) "End-to-end encryption of all communications and data, differential privacy, and secure communications for all users are likely to be the new reality," says a new DARPA-funded study.

A Shift in Mindset: 7 Practical Ideas Every CISO Should Know About Threat Hunting (Bricata) As CISOs and security leaders build out enterprise threat hunting programs, we put together a list of practical ideas we've seen around the concept.

Overcoming the Dangers of Virtual Private Networks (DH2i) Most consumers regard Virtual Private Networks (VPNs) as a credible means of securing their data transmissions and overall privacy. Few realize VPNs were initially designed to provide these benefits for on-premise settings, offering only limited efficacy on the assortment of mobile, hybrid cloud, and multi-cloud technologies commonly used today. In fact, in these environments it’s Read More...

Security or compliance? Stop choosing between them (Help Net Security) The difference between security and compliance is more than just process. It’s philosophy and practice. Compliance can be one tactical execution of a

Tricking attackers through the art of deception (Help Net Security) In cybersecurity, deception is redundant if it cannot fulfill its critical aim – to misdirect, confuse, and lure attackers into traps and dead-ends. It is

Thwart the pressing threat of RDP password attacks (Help Net Security) How long does it takes for Internet-facing, RDP-enabled computers to come under attack? In some cases, a few minutes. In most, less than 24 hours.

Report: CFPB should assess risks to cloud systems before their deployment (FedScoop) The Consumer Financial Protection Bureau hasn’t comprehensively assessed risks prior to deploying new cloud systems, according to a recent report. As a result, CFPB hasn’t issued a Federal Risk and Authorization Management Program provisional authority to operate (P-ATO) for a cloud system supporting its Consumer Response Call Center. The system itself wasn’t identified in the Federal …

Research and Development

UTSA launches open source software to secure the cloud for users (UTSA Today) UTSA has launched Galahad, an open source revolutionary user computer environment (UCE) for the Amazon Cloud.

Academia

DHS Announces $10.5M Funding Opportunity to Establish MBA in Security Technology Transition (Newswise) DHS is seeking proposals from accredited U.S. universities to educate and build the capabilities of DHS employees. The DHS S&T today announced a $10.5 million funding opportunity for a new DHS Center of Excellence (COE) to develop an Executive Master of Business Administration (EMBA) program focused on security technology transition from federal research and development to operational use.

Legislation, Policy and Regulation

China to Release New White Paper on National Defense: What to Expect (The Diplomat) China’s strategic environment and capabilities have transformed considerably in the four years since the last document.

China's Huawei Faces New Allegations Over Cyber Security (Forbes) The Czech media have published new evidence about Huawei's dealings in the Czech Republic.

Here’s the clearest evidence yet of why Huawei can’t be trusted, and it involves North Korea (Yahoo News) Up to this point, Huawei has made a valiant effort at defending its reputation against a US-led opposition campaign that's stoked fears the company is basically a proxy for the Chinese central government and security apparatus. Pressed to defend its actions and ban of the company's products,

UK govt delays Huawei security decision, tightens cyber-guards (SC Magazine) UK government delays decision on allowing Huawei to set up 5G network, but pledges to tighten up cyber-security in telecoms sector

Tech firms “can and must” put backdoors in encryption, AG Barr says (Ars Technica) He's tired of "dogmatic announcements that lawful access simply cannot be done."

Barr Says Police Need Encryption Backdoors, Doesn’t Mention Hacking Tools They Use All the Time (Vice) Barr reignited demands for tech companies to find a technical solution to the ‘Going Dark’ issue, but neglected to mention in his keynote speech that law enforcement agencies use hacking techniques to bypass encryption.

Analysis | The Cybersecurity 202: Attorney General Barr fires up the encryption debate (Washington Post) Security and privacy experts pounced on his remarks.

Attorney General Delivers Address on Encryption at Cybersecurity Conference (Lawfare) Attorney General William Barr delivered a keynote address at the International Conference on Cyber Security. The speech can be read here.

NSA Forms Cybersecurity Directorate Under More Assertive U.S. Effort (Wall Street Journal) The National Security Agency will create a cybersecurity directorate later this year as part of an effort to align the agency’s offensive and defensive operations more closely, as it aims at “persistent engagement” in cyberspace against foreign adversaries like Russia, China and Iran.

NSA to establish a defense-minded division named the Cybersecurity Directorate (ZDNet) The NSA's new Cybersecurity Directorate to become operational in October.

NSA to establish new Cybersecurity Directorate to boost defense - CyberScoop (CyberScoop) The National Security Agency is creating a Cybersecurity Directorate to better protect the country against cyberthreats from foreign adversaries, NSA Director Gen. Paul Nakasone said Tuesday. Anne Neuberger will be the intelligence agency’s first director for cybersecurity.

NSA creates new cybersecurity arm to combat foreign threats (CNN) The National Security Agency announced Tuesday it is creating a new Cybersecurity Directorate, which will "unify NSA's foreign intelligence and cyberdefense missions and is charged with preventing and eradicating threats to National Security Systems and the Defense Industrial Base."

U.S. Elections Are Still Not Safe From Attack (Foreign Affairs) Congress can change that if it acts fast.

The challenge (and benefit) to a more open intelligence community (C4ISRNET) Principal Deputy Director of National Intelligence Sue Gordon says that as foreign powers increasingly target the private sector and general public, the intelligence community needs to be more open and share more information publicly. That could be a net positive for business relations.

Esper confirmed as new defense secretary, ending Pentagon leadership uncertainty (Defense News) The Pentagon had gone more than 200 days without a permanent leader.

Litigation, Investigation, and Enforcement

Justice Department to Open Broad, New Antitrust Review of Big Tech Companies (Wall Street Journal) The Justice Department is opening a broad antitrust review into whether dominant technology firms are unlawfully stifling competition, according to department officials.

US announces antitrust review of Big Tech firms (AFP.com) The United States on Tuesday announced it would begin an antitrust review of major online platforms to determine if they have "stifled" innovation or reduced competition.

Justice Department Reviewing the Practices of Market-Leading Online Platforms (US Department of Justice) The Department’s review will consider the widespread concerns that consumers, businesses, and entrepreneurs have expressed about search, social media, and some retail services online. The Department’s Antitrust Division is conferring with and seeking information from the public, including industry participants who have direct insight into competition in online platforms, as well as others.

Analysis | The names you’ll hear in the Mueller hearing (Washington Post) The Mueller report relied on the testimony of some not-household names in President Trump’s orbit.

Justice Department tells Mueller not to answer a wide swath of questions (Washington Post) “You can expect him to stick pretty close to the four walls of the report come Wednesday,” a spokesman said.

FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook (Federal Trade Commission) NOTE: The FTC will host an IN-PERSON press conference at FTC Headquarters, 600 Pennsylvania Ave, NW, Washington D.

U.S. government issues stunning rebuke, historic $5 billion fine against Facebook for repeated privacy violations (Washington Post) The U.S. government on Wednesday issued an unprecedented rebuke of Facebook after a year of massive privacy mishaps, charging the company deceived its users and "undermined" choices they made to protect their data as part of a settlement that requires the tech giant to pay $5 billion and submit to significant federal oversight of its business practices.

Facebook Settlement Requires Mark Zuckerberg to Certify Privacy Protections (Wall Street Journal) Facebook CEO Mark Zuckerberg will have to personally certify that the company is taking steps to protect consumer privacy under a settlement expected to be announced with the Federal Trade Commission Wednesday.

Facebook deceived users about the way it used phone numbers, facial recognition, FTC to allege in complaint (Washington Post) The FTC will allege Facebook was not clear that advertisers could target users who submitted their numbers as part of a security feature and will contend that Facebook gave some people inadequate information about ways to opt out of some facial recognition features. It will not, however, require Facebook to admit guilt, the sources said.

Bulgarian tax office hacker accused of looking for data on the country's prime minister and other VIPs (Computing) Police in Bulgaria claim the results of the search were found on the hackers' PC

IRS missing basic IT security measures (Fifth Domain) The federal government's watchdog recommends the Internal Revenue Service implement over 100 old and new recommendations to address a significant deficiency in the agency's control over its reporting systems.

3 Romanian men sentenced for hacking US servers (Washington Post) Federal prosecutors in Georgia say three men who hacked U.S. computers from Romania have been sentenced to U.S. federal prison for a fraud scheme totaling more than $21 million

Federal judge refuses to dismiss $224M lawsuit against AT&T for SIM-swap bungle (Hard Fork | The Next Web) AT&T must answer to a $224 million lawsuit related to a devastating SIM-swapping incident in 2017, which saw $24 million in cryptocurrency stolen.

Utah awarded $1.4 million as part of ‘largest data breach enforcement action in history’ (St. George News) The Utah Attorney General’s Office has announced its part in a sweeping settlement action against credit monitoring giant Equifax after a 2017 security breach left the data of nearly half of all Americans vulnerable.

Man arrested over UK's Lancaster University data breach hack allegations (Register) 25-year-old Bradfordian cuffed by NCA over '20k' records breach

Two police officers fired for Facebook post that suggested Ocasio-Cortez should be shot (Washington Post) Gretna Police Chief Arthur Lawson called the officer's comment "disturbing" and said "we are not going to tolerate that.”

Bring your own context.