The CyberWire Daily Briefing, 8.6.19

Cyber Attacks, Threats, and Vulnerabilities

Microsoft: Russian state hackers are using IoT devices to breach enterprise networks (ZDNet) Microsoft said it detected Strontium (APT28) targeting VoIP phones, printers, and video decoders.

Russian hackers show why you need to change your office printer password (Mashable) The group responsible for the 2016 DNC hack is still at it, says Microsoft

Russian APT Abuses IoT Devices to Infiltrate Corporate Targets (BleepingComputer) A Russian-backed hacking group was observed by Microsoft security researchers while compromising popular IoT devices to gain a foothold within several corporate networks.

Russian government hackers used office technology to try to breach privileged accounts (CyberScoop) Early this spring, Russian government-linked hackers used three popular internet of things devices with weak security to access several Microsoft customers’ networks, then tried infiltrating more privileged accounts, researchers announced Monday.

Corporate IoT – a path to intrusion (Microsoft Security Response Center) Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide. IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight. Such devices still must be identifiable, maintained, and monitored by security teams, especially in large complex enterprises. Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates. In most cases however, the customers’ IT operation center don’t know they exist on the network.

'Machete' Cyberspies Target Military in Venezuela, Ecuador (SecurityWeek) The threat actor behind the cyberespionage campaign dubbed Machete continues to be active and some of its most recent attacks targeted the military in Venezuela and Ecuador.

A cyber-espionage group has been stealing files from the Venezuelan military (ZDNet) It is unclear if the Machete group is state-sponsored, or a freelancer selling data to the highest bidder.

Sharpening the Machete (WeLiveSecurity) ESET research uncovers a cyberespionage operation that uses the Machete malware toolset to target the military forces of various Latin American countries.

Research shows that devices banned by US government lack basic security practices (Help Net Security) The banned devices lack basic security building blocks and consequently expose users to the security threats that are alleged by the US.

Democratic senate campaign group exposed 6.2 million Americans’ emails (TechCrunch) A political campaign group working to elect Democratic senators left a spreadsheet containing the email addresses of 6.2 million Americans’ on an exposed server. Data breach researchers at security firm UpGuard found the data in late July, and traced the storage bucket back to a former staffe…

Ransomware Used in Multimillion-Dollar Attacks Gets More Automated (Dark Reading) The authors of MegaCortex appear to have traded security for convenience and speed, say researchers at Accenture iDefense.

MegaCortex ransomware slams enterprise firms with $5.8 million blackmail demands (ZDNet) New malware strains are hitting enterprise companies in Europe and the US.

MegaCortex Ransomware Revamps for Mass Distribution (Threatpost) Manual steps have been replaced by automation.

Puzzling Gwmndy Botnet Focuses on Low-Volume Proxy Connections (Threatpost) After infecting Fiberhome routers, its sole purpose seems to be setting up SOCKS5 proxies.

New Lord exploit kit is spreading 'Eric' ransomware, according to Malwarebytes (Computing) Lord EK part of malvertising chain spread via PopCash ad network, exploiting security flaws in Flash Player

QualPwn Bugs In Snapdragon SoC Can Attack Android Over the Air (BleepingComputer) Two serious vulnerabilities in Qualcomm's Snapdragon system-on-a-chip (SoC) WLAN firmware could be leveraged to compromise the modem and the Android kernel over the air.

Monzo Stored Customer PINs in Log Files (Infosecurity Magazine) Digital bank Monzo has admitted to storing its customer access PINs in the wrong place.

We’ve fixed an issue that meant we weren’t storing some customers’ PINs correctly (Monzo) No information has been exposed outside Monzo, and there’s no evidence that this data has been used for fraud. We’ve updated the app, and we’ve contacted some of you to let you know you should change your PIN as a precaution.

Clothing marketplace Poshmark confirms data breach (TechCrunch) Poshmark, an online marketplace for buying and selling clothes, has reported a data breach. The company said in a brief blog post that user profile information, including names and usernames, gender and city data was taken by an “unauthorized third party.” Email addresses, size preferen…

The Risk of Weak Online Banking Passwords (KrebsOnSecurity) If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process.

Apple iMessage flaw stokes concerns over iPhone sandbox security (SC Media) Flaws allowing remote exploits on iOS calls into question effectiveness of platform security for those users who have not yet upgraded to iOS 12.4 - sandbox deemed 'defeatable'.

Hackers exploit SMS gateways to text millions of US numbers (Naked Security) Receive any strange SMS text messages recently? If you live in the US, there’s a small chance you might have received an SMS with the following text in the last few days from someone called ‘j3ws3r…

HEXANE Threat Group Seen Targeting Industrial Control Systems (Security Intelligence) Researchers spotted a new activity group called HEXANE targeting industrial control systems (ICSs) in the Middle East.

A newly discovered hacking group is targeting energy and telecoms companies (TechCrunch) There’s a new hacking group on the radar targeting telecommunications and oil and gas companies across Africa and the Middle East. Industrial security company Dragos, which discovered the group, calls it “Hexane,” but remains largely tight-lipped on its activities. The security co…

Yet another hacking group is targeting oil and gas companies, Dragos says (CyberScoop) A previously undocumented hacking group has been targeting oil and gas companies along with telecommunications providers from Africa to Central Asia to the Middle East, the industrial cybersecurity company Dragos said Thursday.

Nine Distinct Threat Groups Targeting Industrial Systems: Dragos (SecurityWeek) The number of tracked threat groups targeting industrial control systems (ICS) environments rose to nine, industrial cybersecurity firm Dragos reveals in a new report.

HEXANE (Dragos) Dragos identified a new activity group targeting industrial control systems (ICS) related entities: HEXANE. Dragos observed this group targeting oil and gas companies in the Middle East, including Kuwait as a primary operating region. Additionally, and unlike other activity groups Dragos tracks, HEXANE also targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks.

Nvidia security flaws could used to commit denial of service attacks on Windows PCs (Computing) Five security flaws in Nvidia GPU drivers leave PCs open to privilege escalation and denial of service attacks,Security,Hardware ,Nvidia,Security,graphics cards,R418,R430

New Weaknesses Found in WPA3 (Decipher) Researchers have discovered two new flaws in the Dragonfly handshake in the WPA3 WiFi security standard.

E3 organizer leaks personal info of over 2,000 media and content creators (pcgamer) The ESA has apologized for revealing names, addresses, and phone numbers to the public.

Vulnerability Summary for the Week of July 29, 2019 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Five examples of user-centered bank fraud (Help Net Security) Phishing attacks are just one tactic to be aware of in the age of e-banking. Here are five more ways hackers attack banks through their users.

Water billing to resume in Baltimore months after hacking (Washington Post) Baltimore is expected to start issuing water bills again this week, months after a ransomware attack that hobbled the city’s computer network

Security Patches, Mitigations, and Software Updates

Industrial Giants Respond to 'Urgent/11' Vulnerabilities (SecurityWeek) Several major industrial and automation solutions providers have responded to the Wind River VxWorks vulnerabilities dubbed Urgent/11.

Google and Apple suspend contractor access to voice recordings (Naked Security) Apple and Google have announced that they will limit the way audio recorded by their voice assistants, Siri and Google Assistant, are accessed internally by contractors.

VMware Patches Potentially Serious Pixel Shader Vulnerabilities (SecurityWeek) VMware patches potentially serious pixel shader vulnerabilities affecting ESXi, Workstation and Fusion, including one caused by a flaw in an NVIDIA graphics driver.

Cyber Trends

Top Threats to Cloud Computing: Egregious Eleven (Cloud Security Alliance) The report provides organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk-management decisions regarding cloud adoption strategies.

Next Generation Cyber: Malware-Free Attacks (Infosecurity Magazine) The rise in malware-free attacks is particularly troubling because fossilized cybersecurity solutions have proven ineffective

Philippines fifth on cyber-attack list (Business World) THE Philippines moved up to fifth place from ninth a year earlier in Kaspersky Lab’s global list of countries with most online threats detected in the second quarter of 2019.

Marketplace

Army to host Cyber Situational Understanding Industry Day (Intelligence Community News) On August 2, the U.S. Army posted an invitation to the upcomingCyber Situational Understanding (SU) Industry Day. The Industry Day will take place on August 12, and feedback is due by 9:00 a.m. Eas…

Cybereason raises $200 million for its enterprise security platform (TechCrunch) Cybereason, which uses machine learning to increase the number of endpoints a single analyst can manage across a network of distributed resources, has raised $200 million in new financing from SoftBank Group and its affiliates. It’s a sign of the belief that SoftBank has in the technology, s…

The Quick and The Dead (Cybereason) In the business of cybersecurity, the name of the game is speed. I'm thrilled to announce Cybereason’s latest round of funding with Softbank, bringing their investment in us since founding to almost 400 million dollars.

CyberRisk Alliance Acquires SC Media (SC Media) CyberRisk Alliance (“CRA”), a business intelligence company serving the cybersecurity and information risk

Microsoft Azure Security Lab Offers $300K Rewards For Exploits (Threatpost) Microsoft says its Azure Security Lab will dole out rewards topping $300,000 for researchers to exploit customer-safe cloud environments.

Apple Will Provide Special iPhones For Hackers To Test And Offer Mac Bug Bounty, Sources Say (Forbes) Apple is planning some big security announcements in Las Vegas this week, Forbes has learned. They include a macOS bug bounty and so-called "dev devices" for iPhone researchers.

FireEye Continues To Sink On Weak Fundamentals (Seeking Alpha) FireEye is a cybersecurity company that is strong in external threat intelligence services. The company wants to sell solutions for primary level of defense but lacks the breadth of offerings that its rivals have. It is experiencing significant customer churn and lower margins during the transition from 3rd-generation appliances to modern solutions.

BSides Manchester Hits Back at Sponsor Influence Claims (Infosecurity Magazine) Organizers of BSides Manchester respond to accusations of corporate influence by a sponsor.

Huawei’s Phone Sales in China Get Patriotic Boost (Wall Street Journal) Huawei’s domestic smartphone sales have surged because of a buying spree by its outraged Chinese fan base, while the U.S. ban on tech sales to the company has crippled its overseas sales.

Huawei’s Latest Earnings Mask Its Trouble Outside China (WIRED) Huawei last week touted a 23% increase in first-half revenue, despite US sanctions. But smartphone sales fell outside its home country.

Huawei face same security standards as Ericsson and Nokia (Capacity Media) A Huawei executive has asked for equal treatment with Nokia and Ericsson on security checks – saying they also have Chinese connections

Marriott Shares Fall After Hit From Cyber Fine Crimps Earnings (Bloomberg) Marriott International Inc. reported earnings per share of 69 cents, compared with $1.87 in the year-ago quarter, after the company took a one-time charge of $126 million related to the massive cyber-breach in one of its reservation databases. Shares fell.

Cloudflare Ditches 8chan. What Happens Now? (WIRED) In an interview with WIRED, Cloudflare CEO Matthew Prince explains his decision to stop protecting 8chan—and where the notorious forum goes from here.

8chan forum offline as Cloudflare cuts support (BBC News) The hate-filled site used by mass shooting suspects becomes inaccessible after security is pulled.

8chan is getting a lifeline from a company that services far-right sites like The Daily Stormer (Fast Company) After Cloudflare cut ties to 8chan in the wake of the El Paso shooting, the controversial forum site signed on with BitMitigate.

Dumped by Cloudflare, 8chan gets back online—then gets kicked off again (Ars Technica) 8chan and Daily Stormer now both offline as a cloud provider cuts off access.

8chan vowed to fight on, saying its ‘heartbeat is strong.’ Then a tech firm knocked it offline. (Washington Post) Abandoned by a key partner for its "lawlessness" in the wake of mass shootings, the anonymous message board vowed to stay online, even as its posters threatened more bloodshed.

8chan’s new internet host was kicked off its own host just hours later (TechCrunch) The bottom-feeding forum 8chan, which grew popular by embracing fringe hateful internet cultures, is having trouble staying online. After Cloudflare dropped its protection of the site yesterday, 8chan adopted the services of Bitmitigate, but soon lost that too as the company providing Bitmitigate w…

Protecting Free Speech Or Hate Speech? Shootings Intensify A Cybersecurity Dilemma (WBUR) In Greater Boston's large cybersecurity community, some executives are thinking hard about the decision one of their counterparts in California has made to cut services to 8chan, a website where the alleged El Paso gunman posted racist comments.

Sharma Upadhyayula Joins Aura As Head Of Product & Engineering (PR Newswire) Aura, a unified digital threat protection platform that makes security simple for everyone, today announced...

Cato Networks loses local head to Palo Alto, says everything is fine (CRN Australia) Channel picks up the slack while vendor hires new local crew.

Bitdefender Snags Fortinet's Bellano To Lead North American Channels: Exclusive (CRN) Bitdefender has hired longtime Fortinet channel leader Bill Bellano to tighten the endpoint security provider's bond with its top solution providers in North America.

Products, Services, and Solutions

Synack Commits to Supporting the Advancement of Women in Cybersecurity by Launching a Courageous Women in Security Initiative (BusinessWire) Synack launches an initiative to support the advancement of women in cybersecurity with partners Booz Allen Hamilton, CyberWire, and M12.

BlackBerry Advances Real-Time Adaptive Security and Artificial Intelligence With BlackBerry® Intelligent Security (PR Newswire) BlackBerry Limited (NYSE: BB; TSX: BB) today announced the launch of BlackBerry® Intelligent Security, the...

SiteLock Announces the Industry’s Only Solution to Automatically Scan For and Remove Malware and Spam From Website Databases (PRWeb) New enhancements to SMART® Database extends support across WordPress, Joomla! and any other web application that uses a MySQL database, providing the highest level of protection for customer data

Mobile App Protection Made Easy with Irdeto Trusted Software (Irdeto) Superior, zero-touch mobile app protection service optimized with machine learning empowers developers to focus on time-to-market and business logic, leaving app protection to Irdeto

Digital Guardian Releases ‘DG Wingman’ – a Free Forensic Tool for Security Professionals (Digital Guardian) Digital Guardian today announced the immediate availability of DG Wingman, its new free forensic artifact collection tool for security professionals.

Thales helps organizations combat the future security threats of quantum computing (Yahoo) PARIS, Aug. 5, 2019 /PRNewswire/ -- Thales today announced its collaboration with ISARA Corp. and ID Quantique (IDQ), leading providers of complementary quantum-safe security solutions, to collaborate on a quantum-safe, crypto-agile solution designed to protect against the security threat of quantum

Skybox and Zscaler team up for stronger cloud firewall integration (Cloud Tech News) If there is one thing safer than a cloud security provider, it is two cloud security providers – in theory, at least.

New features added to Juniper Networks security platform (SearchSecurity) New Juniper Networks security features include containerized firewalls and the incorporation of SecIntel into MX Series routers in an effort to provide multiple points of security throughout a network.

BlackBerry Intelligent Security enables flexible security policy (SearchSecurity) The new BlackBerry UEM platform, BlackBerry Intelligent Security, claims to be able to adopt a more flexible or stricter security policy based on users' location.

Technologies, Techniques, and Standards

GIAC Launches New Cyber Security Certification for GIAC Defensible Security Architecture (Yahoo) In today's world, everyone knows that cyber threats are on the rise – and that no organization is exempt from being targeted by dangerous adversaries. Well-rounded defenders are an essential part of mitigating these threats, and they must be skilled at implementing and maintaining an effective combination

New Cyber Security Alliance Aims to Fight Back (Bitdefender) New Cyber Security Alliance Aims to Fight Back

What Companies Should Know When Shopping for AI (Wall Street Journal) As companies embark on more artificial-intelligence projects, they are finding that striking deals with AI firms requires hammering out details about matters such as data privacy and which party gets the algorithm after a contract ends.

You are only as vulnerable as your last backup (IT Pro Portal) Mr Backup's thoughts on best practice to combat ransomware attacks.

Economics of Ransomware - To Pay Or Not To Pay? (SecurityWeek) In the event of a ransomware incident, paying the ransom is often not prohibitively expensive, especially compared to the damage / costs associated with having the payload of the ransomware detonate.

Include Deepfakes in Incident Response Planning, Before Financial Damages (Decipher) Deepfakes aren’t just weird political videos. Enterprises should be concerned about how deepfakes could impact their reputation and financial health and include them in incident response plans.

When should the Army’s cyber school teach information warfare? (Fifth Domain) As Army Cyber Command shifts toward teaching information warfare, the cyber school is figuring out how to make the transition.

FileZilla fixes show how far we’ve come since Heartbleed (Naked Security) What have seven security fixes in FileZilla got to do with 2014’s Heartbleed bug?

Design and Innovation

Google and ARM Tackle Android Bugs with Memory-Tagging (Threatpost) Buffer overflows, race conditions, use-after-free and more account for more than half of all vulnerabilities in the Android platform.

Israeli startup targets phone scammers with new biometric trap (Times of Israel) 'Hundreds of subtle signs' are used by BioCatch software to spot a victim of online fraud being duped

Research and Development

A Decades-Old Computer Science Puzzle Was Solved in Two Pages (WIRED) With a stunningly simple proof, a researcher has finally cracked the sensitivity conjecture, "one of the most frustrating and embarrassing open problems."

Legislation, Policy and Regulation

U.S. Expands Sanctions Against Venezuela Into an Embargo (Wall Street Journal) The new measures mark a significant escalation of pressure against the regime of President Nicolás Maduro and countries including Russia and China that continue to support him.

John Bolton leads U.S. delegation to the Lima Group's conference on Democracy in Venezuela (Peruvian Times) U.S. National Security Adviser John Bolton and the U.S. Secretary of Commerce, Wilbur Ross, are

India Is the World’s Leader in Internet Shutdowns (Foreign Policy) New Delhi clamps down on internet access in Kashmir as it moves to limit the troubled region’s constitutional autonomy.

Lawmakers Urge State Department to Warn American Travelers about Chinese Surveillance (Nextgov.com) Sens. Marco Rubio and Ron Wyden want travelers to know of tracking threats abroad.

Key House Republican demands answers on federal election security efforts (TheHill) Illinois Rep. Rodney Davis, the top Republican on the House Administration Committee, demanded answers from the Election Assistance Commission (EAC) on Monday regarding election security oversight issues.

Can Free Vendors Really Meet 2020 Cybersecurity Demands? (Campaigns & Elections) The growing number of cybersecurity vendors offering free or low-cost services to campaigns may discourage practitioners from allocating sufficient funding to pay for online protections.

The Best Way to Deal With Russia: Wait for It to Implode (POLITICO Magazine) Why the ticking time-bomb of separatism that Putin fears so much will explode in 10, 20 or—maximum—30 years.

The Rise of the Global Cyber War Threat (CPO Magazine) Global cyber war no longer seems impossible with state-sponsored cyber attacks mounting around the world and possibility of China, Iran and Russian uniting to go against U.S. in the cyber domain.

Young people should do national cyberservice (Times) Every 50 seconds a British company is subjected to a cyberattack, and the picture is similar across the western world. While none of the 146,491 such attacks on UK businesses during the first...

'Hefty fines help counter complacency on cyber-security' (SC Magazine) Heavy financial penalties can act as a deterrent for organisational complacency on cyber-security, says Chartered Institute of Information Security CEO Amanda Finch

Senators look to codify CDM (FCW) Two senior lawmakers are teaming up on a bipartisan effort to codify the Continuous Diagnostics Mitigation program run by DHS.

ESET Survey Reveals Widespread Business Confusion About Upcoming CCPA Regulation (Yahoo) ESET, a global leader in IT security, today released the findings of its survey on business readiness for the California Consumer Privacy Act (CCPA). ESET polled 625 business owners and company executives to gauge business readiness for the upcoming regulation, which goes into effect on January 1, 2020

Another mass shooting, another wave of politicians pointing at video games (Ars Technica) House minority leader, Texas Lt. Gov. say violent games "dehumanize" players.

Litigation, Investigation, and Enforcement

North Korea took $2 billion in cyberattacks to fund weapons... (Reuters) North Korea has generated an estimated $2 billion for its weapons of mass destru...

North Korea made $2bn from cyber crime and spent it on weapons, claims UN (Computing) North Korea used to raise funds via counterfeit money, and by producing and distributing amphetamines

Why we're playing a game of 'whack-a-mole' with online extremists (The Telegraph) In the wake of the El Paso shooting, which left 20 people dead, the belated decision to finally force controversial messaging board site 8chan offline has been hailed as a victory by some on the internet.

The Wrong Way to Talk About a Shooter's Manifesto (WIRED) The more oxygen these manifestos get, the wider their messages spread. And no one understands that better than the people posting them.

Feds: FBI 'exercised remarkable caution' in CIA worker probe (Casper Star-Tribune Online) NEW YORK (AP) — The FBI "exercised remarkable caution and candor" in securing search warrants that led to espionage charges against a former CIA employee, prosecutors have told a federal

Marriott takes $126m GDPR charge over Starwood hotel reservation system data breach (Computing) Marriott has set aside the cash to cover an anticipated £99m fine under GDPR for its November 2018 security breach

ID Theft Stings, But it's Hard to Pin on Specific Data Hacks (SecurityWeek) Few data breach victims can ever pin the blame on any specific breach, whether that’s Equifax from 2017 or the disclosed breach at Capital One.

College student who sought Trump tax returns in cyber 'prank' to plead guilty (The Mighty 790 KFGO) By Jonathan Stempel (Reuters) - A recent graduate of Pennsylvania's Haverford College who tried to obtain Donald Trump's tax returns through a computer lab there has agreed to plead guilty to cybersecurity violations, federal prosecutors said on Monday. Justin Hiemstra, 22, of St. Paul Park, Minnesota, is expected to enter his plea on Tuesday in...

Bring your own context.