The CyberWire Daily Briefing, 8.2.19

Cyber Attacks, Threats, and Vulnerabilities

LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards (Proofpoint) Proofpoint researchers document recent spear phishing campaigns and a new remote access Trojan targeting US utilities.

How One Researcher Helped Facebook Bust a Saudi Disinfo Campaign (The Daily Beast) Facebook announced Thursday the Saudi government had engaged in “coordinated inauthentic behavior” on the platform, crediting research from Bellingcat.

A Deeper Look at Phishing Against Bellingcat Staff Investigating Russia (RiskIQ) In this article, we’ll explore a different angle to the phishing campaign against Bellingcat by analyzing it from the outside-in perspective of RiskIQ.

UniCredit: No Proof That Cap One Accessed Customers’ Data (PYMNTS.com) UniCredit, in a memo to its staff on Thursday, said that an internal investigation showed no evidence that a recent data breach at Capital One involved any of its own data, according to a report by Reuters. Authorities investigating the case are trying to find out if the alleged hacker, Paige Thompson, hacked any other […]

‘Amateur’ Capital One hack stuns security (Phnom Penh Post) A Massive data breach at Capital One appeared to be an unsophisticated attack from a single hacker, raising questions about the security of the financial system and insider threats to cloud computing.

Capital One data breach: What you can do following the banking hack (CNET) The latest banking data breach exposed the records of almost 106 million people.

Two Leading Cybersecurity Organizations Issue Joint Bulletin on Threat of Online Skimming to Payment Security (PCI Security Standards Council) If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards. This site provides: credit card data security standards documents, PCIcompliant software and hardware, qualified security assessors, technical support, merchant guides and more.

Warning over boom in web skimming cyber crime targeting online stores (Computing) Malwarebytes claims to have blocked 65,000 web-skimming Magecart data theft attempts in July alone

Threat Actors Muddy Waters in Middle East with APT Hijacks, Fake Leaks in Q2 2019 (Dark Reading) Cyber security's comprehensive news site is now an online community for security professionals, outlining cyber threats and the technologies for defending against them.

Is The Cyber War With Iran Every Man For Himself? (International Business Times) Iran is at our doorstep, and DHS tells citizens to arm themselves.

Not Your Father’s Bots (Foreign Affairs) A new AI system can create fake news articles that look credible—at high speed and low cost.

New SystemBC Malware Uses Your PC to Hide Malicious Traffic (BleepingComputer) A new malware strain is being distributed by threat actors via exploit kits like Fallout and RIG to hide malicious network traffic with the help of SOCKS5 proxies set up on compromised computers.

SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits (Proofpoint) Proofpoint researchers describe a previously undocumented proxy malware currently appearing in RIG and Fallout EK campaigns.

Update your iPhone now: severe vulnerability affecting iMessage (Wandera) All iOS versions below iOS 12.4 are severely vulnerable.As of August 1, only 9.6% of enterprise devices have been updated.Google’s Project Zero has uncovered six bugs in iOS that can be remotely exploited without any user interaction via the iMessage client. Apple has fully patched five of the

Honey Browser Extension Content Script Improper DOM Handling Browser Action UI Spoofing (RiskBased Security) The Honey Browser Extension for Chrome, Firefox, Safari, and Edge allows users to instantly find and apply coupon codes at checkout for over 30,000 online shopping sites and, according to the vendor, 10,000,000 members utilize the extension.

StockX resets user passwords without warning (TechCrunch) StockX, a popular site for buying and selling sneakers and other apparel, has admitted it reset customer passwords after it was “alerted to suspicious activity” on its site, despite telling users it was a result of “system updates.” “We recently completed system update…

Advantech WebAccess HMI Designer (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low skill level to exploit Vendor: Advantech Equipment: Advantech WebAccess HMI Designer Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of this vulnerability may allow an attacker to remotely execute arbitrary code.

Fuji Electric FRENIC Loader (CISA) 1. EXECUTIVE SUMMARY CVSS v3 4.4 ATTENTION: Low skill level to exploit Vendor: Fuji Electric Equipment: FRENIC Loader Vulnerability: Out-of-Bounds Read 2. RISK EVALUATION Successful exploitation of this vulnerability could allow information disclosure. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of FRENIC Loader, an AC drive, are affected:

3S-Smart Software Solutions GmbH CODESYS V3 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.0 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: 3S-Smart Software Solutions GmbH Equipment: CODESYS V3 Vulnerabilities: Unverified Ownership, Uncontrolled Memory Allocation 2.

3S-Smart Software Solutions GmbH CODESYS V3 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Low skill level to exploit Vendor: 3S-Smart Software Solutions GmbH Equipment: CODESYS V3 Vulnerability: Insufficiently Protected Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow for an attacker with access to PLC traffic to obtain user credentials.

Rockwell Automation Arena Simulation Software (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Low skill level to exploit Vendor: Rockwell Automation Equipment: Arena Simulation Software Vulnerabilities: Use After Free, Information Exposure 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a current Arena session to fault or enter a denial-of-service (DoS) state, allowing the attacker to run arbitrary code.

LCDS LAquis SCADA LQS File Parsing (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low skill level to exploit Vendor: LCDS—Leão Consultoria e Desenvolvimento de Sistemas LTDA ME Equipment: LAquis SCADA Vulnerabilities: Out-of-bounds Read, Type Confusion 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to obtain confidential information or execute remote code.

AirDrop Could Be Leaking Your Phone Number (iDrop News) While iMessage has been the focus of some pretty big security flaws in recent weeks, there’s a new vulnerability that’s been discovered that could allow

AirDrop security flaw can expose your phone number [Video] (9to5Mac) An AirDrop security flaw can allow anyone with a laptop and scanning software to see your phone number. The same is true when you share a Wi-Fi password ...

Neapolitan Backdoor Injection (Sucuri Blog) Our remediation team lead describes how attackers are using a variety of backdoors to avoid detection and maintain access on compromised websites.

LibreOffice handlers defend suite's security after 'unfortunately partial' patch (Register) When is a macro not a macro? When it comes with the product, apparently

We tested 21 Android antivirus apps and found these serious vulnerabilities (Comparitech) Android antivirus apps claim to protect your device, but we found a ton of security holes and privacy risks -- one of them even exposes your address book

Combolists-as-a-Service can now be added to the threat landscape (SC Magazine) Entrepreneurial cyber-criminals are now renting out access to databases that combine log-in, passwords and other details, having first curated and packaged stolen credentials before selling them.

Americans Are Making Phone Farms to Scam Free Money From Advertisers (Vice) Ordinary Americans are using armies of phones to generate cash to buy food, diapers, and beer through ad fraud.

Surveillance videos show alleged criminals attacking ATMs — and the crime is getting more common (CNBC) Hackers have turned their attention to ATMs. Two surveillance videos show alleged criminals attacking ATMs in order to drain them of cash. ATM crime and fraud costs the financial service industry billions each year.

North Carolina county falls for BEC scam, to the tune of $1,728,083 (Naked Security) The county could only claw back some of the $2,504,601 it paid to a scammer posing as a contractor working on building a new high school.

Homeless people keep arriving at Tarzana mansion thinking it’s a shelter, but it’s really a prank by online trolls (Daily News) The prank is the work of thousands of devoted viewers of online streamer ‘Ice Poseidon.’

New Orleans-area school targeted by cyber attack (Fox8Live) Another area school has become the target of cyber-attacks.

A cyber-attack gets $700,000 from the City of Naples (WFTX) Naples City Manager Charles T. Chapman IV tells Fox 4 the city was the victim of a criminal cyber-attack. He says the thieves got away with $700,000.

Security Patches, Mitigations, and Software Updates

Google blocks websites certified by DarkMatter, after Reuters reports (Reuters) Alphabet's Google has blacklisted websites approved by a United Arab Emirat...

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot on AIX and Linux (CVE-2018-1890, CVE-2018-12547) Security Bulletin - IBM PSIRT Blog (IBM PSIRT Blog) Multiple vulnerabilities in IBM® Runtime Environment Java™ were disclosed as part of the IBM Java SDK updates in January 2019.

G Suite news: Anomalous alert activity for Google Drive, Advanced Protection for enterprise users (Help Net Security) New security options for G Suite customers can alert organizations about data exfiltration attempts on Google Drive and help them protect high-risk users.

PowerShell Empire Framework Is No Longer Maintained (BleepingComputer) The Empire post-exploitation framework used by hackers of all hats alike has been discontinued this week, passing the torch to newer tools for offensive activities

Cyber Trends

94% of attacks hitting financial services use one of four methods (Help Net Security) Newly released data by Akamai shows that 50% of all unique organizations impacted by observed phishing domains were from the financial services sector.

5G will make devices more vulnerable to cyberattacks: Akamai CEO (Yahoo) Tom Leighton the co-founder and CEO of Akamai Technologies (AKAM), talks to Yahoo Finance's On the Move about the increasing threat of cyber attacks.

Despite Unclear RoI, Security Fears, IoT Adoption is Booming: Microsoft (Computer Business Review) IoT adoption report: projects typically fail during the proof of concept stage as the implementation costs start to spiral

Many companies don't know the depth of their IoT-related risk exposure (Help Net Security) Cyberattacks caused by unsecured IoT/IIoT devices are increasing because many companies don’t know the depth and breadth of the risk exposures.

Ponemon Institute Reveals Security Teams Spend Approximately 25 Percent of Their Time Chasing False Positives; Response Times Stymied by Legacy Tools (BusinessWire) Exabeam and Ponemon discovered security personnel in U.S. enterprises waste approximately 25 percent of their time chasing false positives.

Brace for controversy: Edward Snowden has written a memoir (Ars Technica) Permanent Record will go on sale in September.

Marketplace

For board of directors, cybersecurity literacy is essential (SearchSecurity) For the board of directors, cybersecurity information is essential. This means, among other things, that CISOs need a seat at the table. Joyce Brocaglia's initiative, BoardSuited, aims to equip security pros with the abilities they need to make the move to the C-suite.

Capital One Hack Hits the Reputation of a Tech-Savvy Bank (Wall Street Journal) Capital One has been known as a bank that plowed into new technology. But a recent hack could shift the lender’s approach from advantage to liability.

Cybersecurity - Fighting the Good Fight Infographic (St. Bonaventure University) Check out this infographic for details about a career in "ethical hacking" and cybersecurity!

How to Get Started in a Cyber Security Career (Phoenix TS TechRoots Blog) Our SME offers guidance on where to start and what to learn for a cyber security career.

The must-have skills for cybersecurity aren't what you think (SearchSecurity) Essential skills for cybersecurity are not just technical ones, though those get the most attention. Just as essential to any functioning security strategy are so-called 'soft' qualities like leadership buy-in and the ability to communicate technical issues in layman's terms.

GoSecure Acquires EdgeWave to Bolster Managed Detection and Response Capabilities (BusinessWire) GoSecure, a leading provider of Managed Detection and Response (MDR) services, announces the acquisition of EdgeWave, a leader in email security.

Everbridge acquires threat intelligence firm NC4 for $83M (Boston Business Journal) Everbridge (Nasdaq: EVBG), a critical event management firm headquartered in Burlington, is acquiring a Califorina-based provider of threat intelligence software for a sum of cash and company’s stock worth approximately $83 million.

A10 Networks Is in Trouble: Company for Sale, CEO Leaving (Light Reading) A10 Networks, which is struggling to develop a 5G, network security and analytics strategy, is now up for sale. And the founder and CEO is on his way out.

Cloudflare Said To Pursue September IPO, We Say Heck Yes (Crunchbase News) Cloudflare is reportedly going public this year, meaning that we have at least two big-name IPOs left in the tank.

Nasdaq-Listed Radware to Scout for Cloud Security Startups (CTECH - www.calcalistech.com) The information security company is actively looking for acquisitions, chief financial officer Doron Abramovitch said in a Wednesday interview with Calcalist

Cybersecurity Firm Unexpectedly Swings To Profit As Shares Surge (Investor's Business Daily) Rapid7 earnings and revenue for the second quarter beat analyst estimates, as the cybersecurity firm said new investments lie ahead. The Rapid7 earnings news sent shares up on Thursday.

Passion, ingenuity and hard work: The cybersecurity startup story of Israel (Help Net Security) Israel’s DIY approach supports it entrepreneurial spirit and success. The constraints that Israeli people have to work against creates innovation.

Leading Zero Trust Access Security Provider Pulse Secure Becomes a Member of MSPAlliance® (Pulse Secure) Pulse Secure, the leading provider of software-defined Secure Access solutions to both enterprises and service providers, today announced that it has become a member of the MSPAlliance, the oldest managed services group and the only accrediting and standards based body created specifically for the managed services provider industry.

Optiv Security Appoints Todd Weber Chief Technology Officer for the Americas (Optiv) Enterprise digital transformation efforts combined with advanced and innovative attack intents have left many organizations’ security operations teams overwhelmed by an inordinately high volume, velocity and variety of cybersecurity data and threats.

Rapid7 appoints Christina Kosmowski to Board of Directors (West) Rapid7, Inc. (NASDAQ: RPD), a leading provider of security analytics and automation, today announced that it has appointed Christina Kosmowski to its Board of Directors, effective July 31, 2019.

CSIRO's Data61 to find new CEO following Adrian Turner's resignation (ZDNet) Turner is stepping down to set up a new venture after four years with Australia's innovation arm.

Products, Services, and Solutions

New infosec products of the week: August 2, 2019 (Help Net Security) Qualys is making its Global IT Asset Discovery and Inventory app available to all businesses for free

Stronger Together: Imperva API Security is Integrated with Red Hat 3scale API Management | Imperva (Imperva) Most enterprises today deploy a multitude of touchpoints where consumers can interact and access the information they require. For many organizations, APIs (Application Programming Interfaces) are the bread-and-butter for enabling inter-enterprise process automation, IoT devices and mobile applications. Even though they are working behind the scenes, APIs are ubiquitous. They help to deliver sports updates, …

Cengage Adds Free Password Management to Subscription Service (Campus Technology) Cengage is now offering free password management for users of its Cengage Unlimited textbook subscription service.

FireEye Adds Web Shell Detection to Protect Servers « FireEye Adds Web Shell Detection to Protect Servers (FireEye) FireEye web shell detection is available in the 8.3.0 release of FireEye Network Security.

Fortinet Accelerates and Secures the Cloud On-Ramp with New Next-Generation Firewalls (Yahoo) John Maddison, EVP of products and solutions at Fortinet“An accelerated and secure cloud on-ramp is essential in today’s digital economy..

Zain Jordan partners with Infoblox to provide secure Internet experience (Intelligent CIO Middle East) Zain, a leading telecom company in Jordan, has implemented the market leading Infoblox ActiveTrust solution to enable secure Internet browsing for its subscribers.

Avast Rolls Out New Router Security Service For Italian Customers (MorningstarUK) (Alliance News) - Consumer cybersecurity firm Avast PLC said Thursday it is rolling-out a new ...

MSP to MSSP: Chillisoft fleshes out security offer with Eset Enterprise (New Zealand Reseller News) Security software specialist distributor Chillisoft is making it easier for managed service providers to extend into managed security services via new Eset tools.

SafeBreach launches new platform to prioritize, mitigate security gaps (SearchSecurity) SafeBreach has launched SafeBreach GRID, a breach and attack simulation application that helps security teams prioritize and manage security gaps identified by breach simulation.

ThreatConnect Added to the DHS Continuous Diagnostics and Mitigation Program’s Approved Products List (BusinessWire) ThreatConnect, Inc.®, provider of the industry’s only intelligence-driven security operations platform, is proud to announce that it has been added to

Technologies, Techniques, and Standards

Exabeam 2019 State of the SOC Report: 5 Key Takeaways (MSSP Alert) CIOs and CISOs are increasingly concerned about incident response, automation and threat hunting, according to the Exabeam "2019 State of the Report."

How to Enable the Windows 10 Tamper Protection Security Feature (BleepingComputer) With the release of the Windows 10 May 2019 Update, Microsoft introduced a new security feature called Tamper Protection that protects security settings for Windows Defender antivirus from being disabled by malware or third-party programs.

Why OSINT Analysts Need to Manage Their Digital Identities (Federal News Network) There’s another kind of intelligence gathering, just as important to commercial, military, diplomatic and political operations: open source intelligence.

NYC's real-time cyber defense platform (GCN) New York City's Cyber Command built an open-source, cloud-based data pipeline -- a security log aggregation platform that analysts use to quickly detect and mitigate cyber threats.

Design and Innovation

Facebook open-sources algorithms for detecting child exploitation and terrorism imagery (The Verge) Crowdsourcing a better solution to disturbing photos and videos

Full Fact has been fact-checking Facebook posts for six months. Here’s what they think needs to change (Nieman Lab) More scale, more transparency, and more help with health-related posts.

Microsoft is right, mandatory password changes are obsolete (Help Net Security) Microsoft has recently come out and said that mandatory password changing is ancient and obsolete. This goes directly against everything we were trained

Academia

National Science Foundation cybersecurity grant extended for Penn College (Penn State University) The National Science Foundation recently rewarded Pennsylvania College of Technology’s commitment to tomorrow’s cybersecurity workforce by extending a grant for an additional year.

Legislation, Policy and Regulation

Cyberspace administration passes review on precondition for purchase contracts for network products and services (International Law Office) The Cyberspace Administration of China recently released the Cybersecurity Review Measures (Draft for Comment). According to the draft, where an operator of critical information infrastructure purchases a network product or service, it must make an ex ante assessment of the potential security risks that could emerge once the product or service is put into operation and produce a security report accordingly.

Undeclared Wars in Cyberspace Are Becoming More Aggressive and Automated (Singularity Hub) The 2020 fiscal budget calls for spending $17.4 billion on cyber-related activities, with the Department of Defense (DoD) alone earmarked for $9.6 billion.

Barr and 'Five Eyes' pledge unity on 'emerging threats' — but questions on Huawei and ISIS remain (Washington Examiner) The so-called "Five Eyes" nations agreed on a lot coming out of their security summit in London this week, but didn't end up with concrete plans for two major challenges: the security threat posed by Chinese tech firm Huawei, and the stalemate over how to deal with thousands of foreign-born Islamic…

Incoming: Cyber Threats Need Less Hand-to-Hand Combat, More Collective Defense (SIGNAL Magazine) We need strategies and mesh solutions, such as managed security services, that are designed at the enterprise level and include all Defense Department stakeholders, regardless of how small or niche they are, to ensure that all are adequately protected.

New Senate bill seeks improvements to federal cybersecurity - Homeland Preparedness News (Homeland Preparedness News) U.S. Sens. John Cornyn (R-TX) and Maggie Hassan (D-NH) introduced cybersecurity legislation this week, seeking to improve the work of the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program. Their solution is the Advancing Cybersecurity Continuing Diagnostics … Read More »

Effort to Exempt “HR Data” from CCPA Falters (Cooley) Labor groups concerned about employee privacy have succeeded in slowing the effort to pass legislation exempting employer-held information from the California Consumer Privacy Act (“CCPA”). T…

After cyber attack cripples Strafford County, Hassan joins fed push for more spending (Union Leader) Four weeks after a cyberattack, Strafford County Commission Chairman George Maglaras says the lingering damage caused by the computer virus is serious.

Litigation, Investigation, and Enforcement

Will Capital One be held accountable for data breach? In Canada, probably not (Financial Post) Our ‘toothless’ enforcement system is unlikely to levy any large penalties. Rather, individuals will have to fight through civil suits

Republicans launch inquiry into data breaches (Financial Times) House panel requests briefings with Capital One and Amazon over nature of information stolen

FTC Antitrust Probe of Facebook Scrutinizes Its Acquisitions (Wall Street Journal) The Federal Trade Commission is examining Facebook’s acquisitions as part of its antitrust investigation into the social-media giant—to determine if they were part of a campaign to snap up potential rivals before they could become a threat, according to people familiar with the matter.

Fed Examined Amazon’s Cloud in New Scrutiny for Tech (Wall Street Journal) The visit to an Amazon facility in Virginia is a first for federal banking regulators.

Perspective | Don’t count on a big cash payout from Equifax. But still get the free credit monitoring. It’s far more valuable. (Washington Post) So many consumers want the $125 cash offer in lieu of free credit monitoring that many won't get much money.

NY Set to Recoup $1.3 Million in Settlement With Cisco Systems in Cybersecurity Whistleblower Case (New York Law Journal) The $6 million settlement, of which New York will receive $1.3 million, was part of a larger $8.6 million settlement announced by attorneys for the whistleblower Wednesday.

Whistleblower Vindicated in Cisco Cybersecurity Case (Voice of America) A computer security expert who has won a trailblazing payout in a whistleblower lawsuit over critical security flaws he found in October 2008 in Cisco Systems Inc. video surveillance software thought his discovery would be a career-boosting milestone. James Glenn imagined at the time that Cisco would credit him on its website. The software was, after all, used at major U.S.

YouTube Tweaked Algorithm to Appease FTC But Creators are Worried (Bloomberg) A software update that came in July, without explanation, was designed to promote “quality” children’s videos

Google will pause listening to EU voice recordings while regulators investigate (The Verge) Germany’s data protection commissioner is investigating

Facebook says it was 'not our role' to remove fake news during Australian election (the Guardian) Facebook executive Simon Milner says company ‘only removes content that violates our community standards’

Cops Are Giving Amazon's Ring Your Real-Time 911 Caller Data (Gizmodo) Amazon-owned home security company Ring is pursuing contracts with police departments that would grant it direct access to real-time emergency dispatch data, Gizmodo has learned.

You'll Get Your Equifax Money. It Just Might Take a While (Wired) Despite the FTC pushing people away from an Equifax cash payout, there's a good chance you'll get all $125. Eventually.

Spearphishing utility companies. Warning against online card skimming. Bellingcat as gadfly.

Bring your own context.