The CyberWire Daily Briefing, 8.30.19

Summary

By the CyberWire staff

Google's Project Zero has released details of its research into a quiet, sustained watering-hole campaign against iPhone users. They found five distinct exploit chains in use by the attackers. "There was no target discrimination," Google's blog says, "simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week." Apple patched the zero-day vulnerability the campaign exploited in February. Google notes that this single campaign probably represents the proverbial tip of the iceberg. There are probably others, Mountain View says, that remain undetected.

The Wall Street Journal reports that US prosecutors are investigating Huawei for alleged intellectual property theft.

PerCSoft, cloud provider for Digital Dental Record and a widely used back-up data repository for the US dental profession, has sustained a ransomware attack. KrebsOnSecurity says that PerCSoft may have paid the ransom to obtain a decryptor, but there are reports the decryptor hasn't been fully successful. The ransomware strain involved appears to be REvil, also known as Sodinokibi.

Apple has responded to privacy concerns over its recording of Siri interactions by deciding to disable recording and storage by default. This autumn users will be given the option of turning it on, Ars Technica reports, should they be interested in helping train the AI.

Cryptojacking charges have been added to the ones accused Capital One hacker Paige Thompson faces. An additional indictment was filed Wednesday, Infosecurity Magazine reports.

Have Your Users Made You an Easy Target for Spear Phishing?

Notes.

Today's issue includes events affecting Bulgaria, China, Germany, Ireland, Netherlands, United Kingdom, United States

Bring your own context.

Microsegmentation can bring significant security advantages. But where should you start?

"You know, microsegmentation is, frankly, quite difficult. And what you need to do first is determine what your objective is. Is your objective to protect specific critical applications and their assets, or is your objective to fully segment the entire environment? Either way, you need to choose a starting point. And that typically centers around a specific application that you wish to protect. My advice, personally, is to start with your backup infrastructure. And I know that sounds counterintuitive. Why would you care about your backup infrastructure? But the reason you care about it is because it has every piece of protected information you could ever wish to protect. It is the most compelling target I can think of in the cloud or in the data center. If you get into the backup infrastructure, you've got all the keys to the castle."

—Peter Smith, CEO of zero trust segmentation firm Edgewise, on the CyberWire Daily Podcast, 8.28.19.

(And, seriously, do have a backup infrastructure.)

Happy Labor Day.

We'll be taking our customary US Federal holiday on September 2nd. Publication and podcasting will resume as normal on Tuesday. Research Saturday and the Week that Was will be out as normal tomorrow. Enjoy the holiday, America, including those of you are marking the traditional end of summer vacations with an early departure from work today. (Drive safely.)

Conduct secure and anonymous research on the open and dark web.

If you are doing online research, the common web browser can betray you by exposing you and your organization to cyber attacks. Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo insulates and isolates all web data and code execution from user endpoints, providing powerful, proactive security even if you are gathering data and collections across the deep and dark web. Learn more.

On the Podcast

In today's podcast, out later this afternoon, we speak with our partners at Terbium Labs, as Emily Wilson tells us about how back-to-school season plays out in the fraud markets. The CyberWire's middle-school correspondent, Jack Bittner, shares his insights on how the sixth-through-eighth-graders are handling security nowadays.

Sponsored Events

Cyber Security Summits: Chicago on August 27 and on September 17 in Charlotte (Chicago, Illinois, United States, August 27, 2019) Register for reduced admission to the Cyber Security Summit with promo code cyberwire19 for $95 admission ($350 without code). Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security from experts from The FBI, Google, IBM, Darktrace, and more. Breakfast, Lunch & Cocktail Reception are included with your admission. Passes are limited, secure yours today: www.CyberSummitUSA.com

10th Annual Billington CyberSecurity Summit (Washington, DC, United States, September 4 - 5, 2019) The event will be an important Call to Action for the cybersecurity community and is the deepest examination of the cybersecurity and government at the local, state, Federal and International levels found anywhere.

Second Annual DataTribe Challenge (Online, October 1, 2019) Register now for a chance to be DataTribe's next world-class company. Finalists will split a $20,000 prize, and the winner may receive $2m in funding from DataTribe. Contestants have until October 1st to apply at www.datatribe.com/challenge.

Zero Day Con (Washington, DC, USA, October 22, 2019) Zero Day Con hosts a day of expert discussion on security approaches to regain control over your systems, data, and information. Join us to examine insights, security technologies, and key priorities to secure your systems. Get a 30% discount for Labor Day using code LABOR30.

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

US military carried out secret cyberstrike on Iran to prevent it from interfering with shipping, officials say (Stars and Stripes) American military cyber forces in June knocked out a crucial database used by Iran's elite paramilitary force to target oil tankers and shipping traffic in the Persian Gulf hours after that force shot down an unmanned U.S. surveillance drone, according to U.S. officials.

Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years (Vice) It may be the biggest attack against iPhone users yet.

Mysterious iOS Attack Changes Everything We Know About iPhone Hacking (Wired) For two years, a handful of websites have indiscriminately hacked thousands of iPhones.

‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information (TrendLabs Security Intelligence Blog) We uncovered a campaign named Heatstroke whose phishing attacks use multistage techniques to steal PayPal and credit card information.

Botnet targets set-top boxes using Android OS (Naked Security) Production systems aren’t supposed to have the ADB turned on, but some set-top boxes do.

TimThumb Attacks: The Scale of Legacy Malware Infections (Sucuri Blog) Our senior researcher describes the scope and impact of the TimThumb vulnerability and how it lead to remote code execution and backdoors on compromised websites.

This Spreadsheet of ‘The Worst 25 Passwords’ Is Actually Malware (Vice) Hackers are getting meta.

Phishing Campaign Hides Malware in Resumes (Infosecurity Magazine) Cyber-criminals pose as job seekers to deliver Quasar RAT.

Popular CamScanner app for Android infected with nasty malware (HackRead) CamScanner app has been deleted by Google from Play Store.

More_eggs, Anyone? Threat Actor ITG08 Strikes Again (Security Intelligence) X-Force IRIS observed ITG08, which has historically targeted POS machines in the retail and hospitality sectors, injecting malicious code into online checkout pages to steal payment card data.

Ransomware Bites Dental Data Backup Firm (KrebsOnSecurity) PerCSoft, a Wisconsin-based company that manages a remote data backup service relied upon by hundreds of dental offices across the country, is struggling to restore access to client systems after falling victim to a ransomware attack.

Hundreds of dental offices crippled by ransomware attack (CNN) A ransomware attack has crippled an estimated 400 dental practices across the US.

IntSights Exposes Top Dark Web Marketplace Selling Digital Browser Identities as the Latest Hot Commodity (PR Newswire) IntSights, the threat intelligence company focused on enabling enterprises to Defend Forward™, announced today the...

Change Healthcare McKesson and Horizon Cardiology (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low skill level to exploit Vendor: Change Healthcare Equipment: Change Healthcare Cardiology, Horizon Cardiology, McKesson Cardiology Vulnerability: Incorrect Default Permissions 2.

Philips HDI 4000 Ultrasound (CISA) 1. EXECUTIVE SUMMARY CVSS v3 3.0 ATTENTION: Public exploits are available/exploitable from within the same local subnet Vendor: Philips Equipment: HDI 4000 Ultrasound Systems Vulnerability: Use of Obsolete Function 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to exposure of ultrasound images (breaches of confidentiality) and compromised image integrity.

Facebook Admits 'Technical Error' In Messenger Kids App Connected Children With Strangers (Forbes) Facebook acknowledged on Thursday in a letter to two Democratic senators that a design flaw in its Messenger Kids app allowed users under the age of 13 participate in group chats with strangers, without their parents permission, essentially letting those kids sidestep one of the core security fe...

Starbucks Abandons Azure Site, Exposed Subdomain to Hijacking (BleepingComputer) An oversight from Starbucks exposed one of its subdomains to takeover threat, which could be further leveraged in attacks against customers and the company.

Starbucks disclosed on HackerOne: Subdomain takeover on svcgatewayus[dot]starbucks[dot]com (HackerOne) Subdomain takeover possible on one of Starbucks's subdomain. The subdomain pointed to Microsoft Azure Cloud App which was no longer registered under Azure.

Most Ransomware Attacks Target Government Networks (MSSP Alert) Nearly 70 percent of ransomware attacks this year targeted U.S. state, local and county governments, Barracuda Networks research finds.

Dime-a-dozen ransomware attacks could mess with elections (Axios) The attacks are commonplace, but that doesn't mean election systems will be able to avoid them.

Montana schools still vulnerable to cyber attacks, experts warn (Fairfield Sun Times) It's easy to assume that a quiet school in rural Montana won't be the target of a cyber attack. That assumption is also wrong.

A week after cyberattack, Regis University makes some progress to restore normalcy (The Denver Post) A week after a “malicious threat” likely from outside the country downed internet technology systems at Regis University, the community at the private, religious college can finally beg…

Security Patches, Mitigations, and Software Updates

Apple Updates Privacy Policies After Siri Audio Recording Faux Pas (Threatpost) Apple's "grading" process, which listens to Siri voice recordings, will now be in-house and has an option for users to opt out.

Apple to stop storing Siri audio after contractors heard private talks and sex (Ars Technica) Fall 2019 update will disable storage of Siri audio—users can turn it back on.

Marketplace

Cloud Security Boom Creates New Crop of Tech Darlings (Supply Chain Brain) A new generation of cybersecurity companies is creating billions of dollars in market value for investors as businesses increasingly turn to cloud-based products for better protection from sophisticated attacks.

Six Hackers Break Bug Bounty Record, Earning Over $1 Million Each on HackerOne (BusinessWire) HackerOne, the number one hacker-powered pentesting and bug bounty platform, today announced that six individual hackers have earned over one million

Hackers Report First Security Vulnerability to 77% of Customers Within 24 Hours HackerOne Report Reveals (BusinessWire) HackerOne, the number one hacker-powered pentesting and bug bounty platform, today announced findings from its 2019 Hacker-Powered Security Report. Th

How one teenager took out a secure Pentagon file sharing site (C4ISRNET) A vulnerability in the Pentagon's secure file sharing system allowed near unencumbered access to files.

Carbon Black's relationship with VMware started well before acquisition (SiliconANGLE) Familiarity may breed contempt, as the saying goes, but in the case of Carbon Black Inc. and VMware Inc. it bred an opportunity to secure enterprise workloads and lay the groundwork to transform the security industry.

F-Secure joins Broadband Forum to help shape Connected Home security standards (Global Security Mag Online) F-Secure has joined Broadband Forum, the communications industry’s leading organization focused on accelerating broadband innovation, standards, and ecosystem development, to better serve communication service providers and secure its wireless home offerings better in the battle against ever-increasing cyber threats.

Zix: The Mouse That Roared (Seeking Alpha) Zix is a cybersecurity company focused on Email. The company recently acquired AppRiver which is larger and has better metrics. As a result of the acquisition, Zix is left with a small amount of cash and a lot of debt.

Aryaka Names Christiana Khostovan General Counsel and Corporate Secretary (Yahoo) Christiana Khostovan, Former General Counsel and Corporate Secretary for Revel Systems Brings Tremendous Legal and Regulatory Experience to Aryaka

SAIC Announces the Appointment of Two New Board Members (Yahoo) Joining the board are Carol Goode and Yvette Kanouff. Goode will serve on the Human Resources and Compensation Committee and the Nominating and Corporate Governance Committee. Kanouff will serve on the Audit Committee and the Risk Oversight Committee.

Products, Services, and Solutions

Cyxtera Achieves Common Criteria Security Certification for AppGate SDP (BusinessWIre) Cyxtera Technologies, today announced that AppGate SDP, the leading SDP solution, has achieved Common Criteria Certification.

Herjavec Group Leverages Google Chronicle for Managed Security Services - MSSP Alert (MSSP Alert) Herjavec Group leverages Google Chronicle's Backstory & VirusTotal for expanded managed security services capabilities.

StackRox Announces New Capabilities in Its Kubernetes Security Platform to Increase Protection of Kubernetes Applications (StackRox) StackRox announces general availability of version 2.5 of the StackRox Kubernetes Security Platform

Technologies, Techniques, and Standards

What can be done about the rising click interception threat? (Help Net Security) Ad networks' successful efforts to detect bot-based ad click fraud has forced attackers to focus on intercepting and redirecting legitimate users’ clicks.

Design and Innovation

The Pentagon Is Exploring New Ways to Isolate Its Networks (Nextgov.com) Three companies have already received multimillion-dollar contracts to explore new ways to protect the data flowing through the military’s IT systems.

Research and Development

Brisbane scientist cracks secret IRA message from 1920s (The Age) The cryptogram, about the theft of explosives, eluded the world's top code-breakers for decades.

Academia

Colleges and Universities at Risk for Cyber-Attacks as School Year Starts (The National Law Review) It&rsquo;s a busy time for colleges and universities as the fall semester starts and campuses are bustling with activity. It&rsquo;s also the perfect time for cyber criminals to create mayhem for inst

As the school year begins, beware of hackers (CNBC) A new report finds that hackers are increasingly targeting the education industry, leaving students' information vulnerable to identity theft and other types of fraud.

Security by Sector: Young Brits Call for Smartphone Policies and Social Media Lessons in Schools (Infosecurity Magazine) Does the education system need new approaches in how it handles technology?

Kaspersky partners with Temasek Polytechnic to offer technical cybersecurity courses to more Singaporeans - The Online Citizen (The Online Citizen) Earlier this week, Kaspersky signed a three-year agreement with Temasek Polytechnic (TP) to provide cybersecurity courses for corporate practitioners and members of the public in Singapore. The training collaboration agreement was signed on Monday (26 Aug) by Stephan Neumeier, Managing Director for Asia Pacific (APAC) at Kaspersky, and John Leong, Director of the Temasek SkillsFuture …

Legislation, Policy and Regulation

Hong Kong ISPs Hit Back at Government Censorship Plans (Infosecurity Magazine) Hong Kong ISPs Hit Back at Government Censorship Plans. Concerns city-state’s CEO will order blocking of specific apps

New Rule Takes Effect Barring Contractors From Supplying Huawei, ZTE Equipment to the Feds: What In-House Counsel Need to Know (Corporate Counsel) Contractors can no longer supply telecom or surveillance equipment from certain manufacturers, including Huawei and ZTE Corp., to U.S. federal agencies.

Huawei represents national security risk to US, says analyst (Yahoo) Raymond James Washington policy analyst Ed Mills discusses the probe into Chinese tech giant Huawei and the U.S.-China trade dispute.

Suppressing Huawei beyond US security concerns: expert (Global Times) How is cybersecurity connected with geopolitics? In what way will cyber geopolitics influence a country’s diplomacy? How to establish effective diplomatic mechanism in cyberspace?

U.S. Official Involved in Huawei Dispute Steps Down (Wall Street Journal) A senior Commerce Department official overseeing an office at the center of President Trump’s battle with Chinese telecommunications giant Huawei Technologies is moving to a more junior position.

Intelligence Consolidation Looms for the U.S. Military (SIGNAL Magazine) U.S. intelligence must integrate its assets and procedures to address the challenges of new technologies and malevolent potential adversaries, says the former head of Army intelligence.

DHS sees more cyber outsourcing (Washington Technology) Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

Litigation, Investigation, and Enforcement

WSJ News Exclusive | U.S. Prosecutors Probe Huawei on New Allegations of Technology Theft (Wall Street Journal) Investigators are looking into episodes in which Huawei was accused of stealing intellectual property from people and companies and how it recruited employees from competitors.

Snake oil or genius? Crown Sterling tells its side of Black Hat controversy (Ars Technica) In an exclusive interview with Ars, execs of controversial crypto company explain everything.

Bulgaria's tax agency fined $3 million over data breach, will appeal (Reuters) Bulgaria's tax agency will appeal a fine of 5.1 million levs ($2.9 million)...

Alleged Capital One Hacker Also Accused of Crypto-Jacking (Infosecurity Magazine) New indictment reveals charges carrying penalties of up to 25 years

Everything We Know About the Capital One Hacking Case So Far (Wired) A new indictment against alleged Capital One hacker Paige Thompson includes a few fresh details about the case.

Capital One hack shows difficulty of defending against irrational cybercriminals (CSO Online) The motivation of the malicious actor who stole data of more than 100 million people was driven by emotional distress and did not follow traditional hacker patterns.

What the Jetflicks and iStreamItAll Takedowns Mean for Piracy (Wired) In a sweeping indictment, the feds came down hard on two unauthorized streaming services that allegedly crossed a very important line.

Facial Recognition Technology Creates a Fine Mess in Sweden (Infosecurity Magazine) A Swedish municipality may still introduce facial recognition technology in schools despite receiving the country’s first GDPR violation fine for trialing it.

Microsoft may still be violating privacy rules, says Dutch regulator (Naked Security) EU data watchdogs are yet again sniffing at Windows 10.

Big News For Facebook Investors And No One Noticed (Seeking Alpha) ...This week, the first Cartel the Senate of the Düsseldorf Higher Regional Court expressed massive doubts about the FCO's reasoning on which it based the restrictions. The Court decided that Facebook does not have to implement the antitrust office's orders for the duration of the appeal proceedings. In its explanatory statement the Düsseldorf Higher Regional Court has raised "serious doubts" as to the legality of the globally respected action against Facebook...

Levandowski’s Fate May Turn on the Meaning of ‘Trade Secret’ (Wired) Former Google and Uber engineer Anthony Levandowski was indicted on charges of stealing trade secrets. But what exactly are those, anyway?

Md. top court upholds child porn charge against teen who texted friends (Maryland Daily Record) Delving into the high school world of sexting, Maryland’s top court ruled Wednesday that a 16-year-old who texted a video of herself engaging in a consensual sexual act with an adult was “involved” in distributing child pornography in violation of Maryland law.

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

9th Annual Peak Cyber Symposium (Colorado Springs, Colorado, USA, September 3 - 5, 2019) The Peak Cyber Symposium is designed to further educate Cybersecurity, Information Management, Information Technology and Communications Professionals by providing a platform to explore some of today's most pressing cybersecurity threats, remediation strategies and best practices. Peak Cyber Schedule includes: Capture The Flag (CTF) at Peak Cyber; Speaker Sessions, Panels and In-Depth Training Workshops & Boot camps.

9th Annual Peak Cyber Symposium (Colorado Springs, Colorado, USA, September 3 - 5, 2019) The Information Systems Security Association (ISSA) - Colorado Springs Chapter will once again host the 9th Annual Peak Cyber Symposium. This year's theme is "Cyber Hygiene: Everyday for Everyone." The Peak Cyber Symposium is designed to further educate cybersecurity, information management, information technology, and communications professionals by providing a platform to explore some of today's most pressing cybersecurity threats, remediation strategies and best practices.

10th Annual Billington CyberSecurity Summit (Washington, DC, USA, September 4 - 5, 2019) This year's theme is, "Reinventing Cybersecurity: Addressing Tomorrow's Top Cyber Challenges." The summit has become the world's leading summit on government cybersecurity. It will convene again U.S. and allied partners in an unprecedented day and a half of high level knowledge sharing and networking.

2019 Intelligence and National Security Summit (National Harbor, Maryland, USA, September 4 - 5, 2019) The Intelligence & National Security Summit, powered by AFCEA International and the Intelligence and National Security Alliance (INSA), is the premier forum for unclassified dialogue between U.S. Government Intelligence Agencies and their partners in the private and academic sectors.

Derbycon 2019 (Louisville, Kentucky, USA, September 4 - 8, 2019) DerbyCon isn’t just another security conference. We’ve taken the best elements from all the conferences we’ve ever been to and put them into one. DerbyCon is a place you can call home, where you can meet each other, party, and learn. Our goal is to create a fun environment where the security community can come together to share ideas and concepts. Whether you know Linux, how to program, are established in security, are a hobbyist, or are trying to break into INFOSEC, the idea of DerbyCon is to promote learning and strengthen the community. We are a community of peers learning from one another.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.