The CyberWire Daily Briefing, 9.11.19

Cyber Attacks, Threats, and Vulnerabilities

COBALT DICKENS Goes Back to School…Again (Secureworks) The COBALT DICKENS threat group persists despite law enforcement actions and public disclosures, conducting another global campaign targeting universities.

‘Cobalt Dickens’ group is phishing universities at scale again, researchers say - CyberScoop (CyberScoop) An Iran-linked hacking group whose operatives a U.S. jury indicted last year has launched a phishing operation to steal login credentials against computer users at over 60 universities in the United States, the United Kingdom, and elsewhere, researchers said Wednesday. The campaign, whose aim is likely intellectual property theft, sees victims redirected to spoofed login pages, where their passwords are stolen, said Secureworks, a Dell-owned cybersecurity company that discovered the activity. “The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures, and takedown activity,” Secureworks said in a blog post. The most high-profile attempt to disrupt the hackers was the charges the U.S. Department of Justice announced in March 2018 against nine Iranian nationals for breaching the networks of multiple U.S. universities, federal government agencies and U.S. companies. And yet the hacking group, which Secureworks dubs Cobalt Dickens, has used some of the same domains in their new phishing activity …

UNICEF data leak reveals personal info of 8,000 online learners (Devex) UNICEF has inadvertently leaked personal information belonging to thousands of users of its online learning portal Agora.

D-Link wireless modems found to leak passwords (SC Magazine) D-Link DSL-2875AL modem contains password disclosure vulnerability: it is stored in clear text there

NetCAT side-channel flaw affecting Intel server CPUs could enable attackers to sniff sensitive network data (Computing) The weakness affects all Intel chips supporting the RDMA and DDIO features

Is Pentagon JEDI Program a $10B Cloud Security Fiasco? (SDxCentral) Data breaches remain the No. 1 cloud security threat, costing companies millions of dollars per breach not to mention permanent reputational damage and loss of trust. But when and if the Pentagon suffers a breach, there’s a lot more to worry about than cost.

Microsoft Phishing Page Uses Captcha to Bypass Automated Detection (BleepingComputer) A new phishing campaign has been observed in the wild using captcha boxes to hide a fake Microsoft account login page from secure email gateways (SEGs).

Bishop Fox Researchers Discover High-Risk Vulnerability in OpenEMR (Yahoo) The bug was patched by OpenEMR following researcher's disclosure.

IoT security: Now dark web hackers are targeting internet-connected gas pumps (ZDNet) As more and more devices get connected to the Internet of Things, researchers say compromising pumps has become a hot topic on cyber criminal forums.

Uncovering IoT Threats in the Cybercrime Underground (Trend Micro) Understanding current and future threats to the internet of things (IoT) can help shape how we secure this technology that is increasingly becoming integral to today's world. What insights can be reaped from the cybercrime underground?

Report: Massive Fraud Network Uncovered, Targeting Groupon & Online Ticket Vendors (vpnMentor) vpnMentor’s research team, led by Noam Rotem and Ran Locar, recently exposed a massive criminal operation that has been defrauding Groupon and other major ...

Avast discovers security flaws in GPS trackers (Scoop News) Digital security vendors Avast [LSE:AVST] have discovered serious security vulnerabilities in the T8 Mini GPS tracker and nearly 30 other models by the same manufacturer, Shenzhen i365 Tech . Marketed to keep kids, seniors, pets, and even possessions safe, instead ...

Avast places flashlight apps' permission requests in the spotlight (SC Media) An Avast researcher shed some light on the number and invasiveness of the permissions requested by various publishers to download and install their

Ransomware Behind Cyber Attack On Souderton Area School District (Montgomeryville-Lansdale, PA Patch) Souderton is working with the FBI and Homeland Security after discovering the recent disruption was due to a ransomware attack.

If you have any of these 24 Android apps installed, delete them now! (HOTforSecurity) Security researchers are sounding the alarm over 24 Android apps laced with a stealthy trojan that signs you up for a costly subscription without your permission. If you’ve downloaded any of the 24 apps, delete them now and check your bank statements for any... #android #googleplay #trojan

OSIsoft PI SQL Client (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely Vendor: OSIsoft LLC Equipment: OSIsoft PI SQL Client Vulnerability: Integer Overflow or Wraparound 2. RISK EVALUATION Successful exploitation of this vulnerability could allow remote code execution or cause a denial of service, resulting in disclosure, deletion, or modification of information.

Siemens SIMATIC TDC CP51M1 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC TDC CP51M1 Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could create a denial-of-service condition within UDP communication.

Siemens SINETPLAN (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Low skill level to exploit Vendor: Siemens Equipment: Siemens Network Planner (SINETPLAN) Vulnerability: Improper Authorization 2. RISK EVALUATION Successful exploitation of this vulnerability could allow information disclosure, code execution, and denial-of-service.

Delta Electronics TPEditor (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low skill level to exploit Vendor: Delta Electronics Equipment: TPEditor Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow, Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities may allow information disclosure, remote code execution, or may crash the application.

Siemens IE-WSN-PA Link WirelessHART Gateway (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: IE/WSN-PA Link WirelessHART Gateway Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow information disclosure, code execution, or denial-of-service.

Siemens Industrial Products (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: Industrial Products Vulnerabilities: Integer Overflow or Wraparound, Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause denial-of-service condition.

Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU (Update A) (CISA) 1 EXECUTIVE SUMMARY --------- Begin Update A ---------

Siemens SIMATIC PCS7, WinCC, TIA Portal (Update C) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC PCS7, WinCC Runtime Professional, WinCC (TIA Portal) Vulnerabilities: SQL Injection, Uncaught Exception, Exposed Dangerous Method 2.

Siemens SIMATIC WinCC and PCS7 (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC WinCC and SIMATIC PCS7 Vulnerability: Unrestricted Upload of File with Dangerous Type 2.

CafePress thinks its data breach victims should use Equifax as a resource (Fast Company) Online retailer CafePress sent a letter to customers this week informing them that their personal information, including Social Security numbers, was breached.

Security Patches, Mitigations, and Software Updates

Microsoft's September 2019 Patch Tuesday Fixes 79 Vulnerabilities (BleepingComputer) Today is Microsoft's September 2019 Patch Tuesday, which means your Windows administrators are going to be up to their elbows in problems. So be nice to them!

Patch Tuesday, September 2019 Edition (KrebsOnSecurity) Microsoft today issued security updates to plug some 80 security holes in various flavors of its Windows operating systems and related software.

Mozilla increases browser privacy with encrypted DNS (Naked Security) Mozilla is about to turn on-by-default an oft-overlooked privacy feature in Firefox.

Chromebook bug incorrectly triggered device end-of-life warning to users (Computing) Bug was patched by Google last weekend following unpleasant surprises for Chromebook users

Cyber Trends

New 2019 Cybercrime Report Tracks Growing Threat of Networked Cybercrime (PR Newswire) LexisNexis® Risk Solutions today released at the Digital Identity Summit its Cybercrime Report...

Risk Assessment of Internet-Facing Infrastructure Finds Areas for Improvement Include Out-of-Date Operating Systems and Email Phishing Protections (NormShield) NormShield conducted two risk assessments (July and August) of 56 election commission or Secretary of State (SoS) to identify the publicly available information that hackers could exploit to conduct an attack. After the July assessment, NormShield privately provided its findings to the Secretaries of State (SOS) and election commissions in July in order to empower them with the information needed to remediate vulnerabilities. NormShield ran a second scan in August and found significant improvement in the security posture of several election commissions.

Analysis | The Cybersecurity 202: How state election officials are contributing to weak security in 2020 (Washington Post) A new report finds their offices are falling short on basic protections.

Elections officials flub some basic security tasks (Axios) Many state election organizations receive poor grades for basic protections.

Report: Employees Trigger Most Industrial Network Cybersecurity Incidents (MSSP Alert) Employee errors caused more than half of cybersecurity incidents affecting operational technology and industrial control system (OT/ICS) networks last year, a Kaspersky report says.

8 DDoS Attack Trends To Watch For In 2020 (CRN) CRN asks technical and research experts at A10 Networks, Akamai, and Radware about new and emerging threats in the DDoS space and what businesses need to do to ensure their survival.

Artificial Intelligence: It’s Complicated And Unsettling, But Inevitable (Forbes) If artificial intelligence came to life and set up a facebook profile, it would have a relationship with all of us, and our relationship status would be "It's Complicated".

Marketplace

Cyber insurance: What are the considerations and challenges? (Global Banking & Finance Review) For business owners, connecting to the internet has been a blessing, allowing organisations the ability to grow at an unprecedented rate. However, such connection does have its drawbacks, namely cyberattacks. Business owners have come to accept cyberattacks as an eventuality, rather than a possibility. Executives can do their best to defend against attacks, such as implementing a robust employee training programme, but even with the most cutting-edge security solution in place, there is no such thing as being 100% secure.

Snyk grabs $70M more to detect security vulnerabilities in open-source code and containers (TechCrunch) A growing number of IT breaches has led to security becoming a critical and central aspect of how computing systems are run and maintained. Today, a startup that focuses on one specific area — developing security tools aimed at developers and the work they do — has closed a major fundin…

Cyware Labs Raises $3 Million in Seed Funding Led by Emerald Development Managers (Yahoo) Investment to Fuel International Growth, Bolster Strategic and Technical Threat Intelligence Automation, and Advance Cyber Fusion Solutions

HackerOne raises $36.4 million in the Series D investment round (Express-Journal) Total funding of the company rises to $110 million after the closure of Series D funding round. HackerOne presently works with over 1,500 consumers that take company’s support to find key security weaknesses so they can be addressed before people with malicious intent identify and exploit them. HackerOne, a San Francisco-based company created seven years ago which mediates between companies and hackers keen to test their online vulnerabilities, has raised $36.4 million in Series D funding round that brings the company’s total funding to $110 million till date. Valor Equity Partners led the deal, Valor Equity Partners was joined by

Akamai acquires LatAm channel partner Exceda (BNamericas.com) Akamai Technologies has entered into an agreement to acquire Exceda, its largest channel partner in Latin America.

Ping Identity Announces Launch of Initial Public Offering (Yahoo) Ping Identity Holding Corp. ("Ping Identity") today announced that it has launched the roadshow for the initial public offering of its common stock. Ping Identity is offering 12,500,000 shares of its common stock pursuant to a registration statement on Form S-1 filed

Opinion | Huawei Has a Plan to Help End Its War With Trump (New York Times) During a rare interview, the company’s chief executive proposed negotiations with the Justice Department.

Chip Makers Still Await Clearance to Sell to Huawei (Wall Street Journal) The U.S. has yet to green-light any sales to Huawei Technologies, frustrating chip makers more than two months after President Trump agreed to ease export restrictions on the Chinese telecom giant.

Government of Canada Selects KeyData Associates for Cyber Security Contract (Yahoo) KeyData Associates Inc. (" KeyData"), a leading provider of cybersecurity services, announced today that it has been selected by the Government of Canada's Shared Services Canada (SSC) to provide security technology solutions and systems integration

Alex Stamos schools Apple after they whine about Google revealing a whack of Ios zero-days (Boing Boing) Early this month, Google’s Project Zero revealed a breathtaking attack on multiple OSes, including Apple’s Ios, in which a website that served Uyghur people was found to be hosting at l…

ThetaRay Continues Global Expansion With Mexico Office Launch (PR Newswire) ThetaRay, the leading provider of AI-based big data analytics, today announced the opening of its Latin America...

Zscaler Names Dali Rajic as President Go-To-Market and Chief Revenue Officer (Yahoo) Zscaler, Inc. (ZS), the leader in cloud security, today announced the appointment of Dali Rajic as President Go-to-Market and Chief Revenue Officer. Rajic has nearly 25 years of experience in sales leadership and go-to-market operational roles. Rajic will report directly to Jay Chaudhry, CEO and Founder

Stardog Appoints Data Management Veteran Bob More as Global Head of Sales and Alliances (BusinessWire) Stardog, the leading data unification platform, today announced the appointment of Bob More as their Global Head of Sales and Alliances. More comes to

Products, Services, and Solutions

New Release of Barracuda CloudGen Firewall automates and secures enterprise migrations to public cloud (Barracuda Networks) Barracuda’s Secure SD-WAN platform delivers industry-leading security, connectivity, and automation across multi-cloud deployments

Dragos Launches ICS App in the CrowdStrike Store to Rapidly Bridge the IT-OT Threat Detection Divide (Yahoo) Dragos, Inc., provider of the industrial industry’s most trusted asset identification, threat detection and response platform and services, today announced it is partnering with CrowdStrike, a leader in cloud-delivered endpoint protection, to release a new ICS/OT Threat Detection app available for CrowdStrike

Treezor chooses Thales Cloud to secure its Banking-as-a-Service platform (Moneycontrol) Treezor is required to implement strong data security controls to protect personal financial information and other sensitive data.

Office 365 security: Automated incident response based on playbooks (Help Net Security) Five months after introducing Automated Incident Response in Office 365 ATP, Microsoft has announced it's making it more widely available.

AWS Offering Highlights Software Defined Perimeter Space (Virtualization Review) After an uneven start, the software-defined networking movement has matured and evolved to include fast-growing initiatives such as software-defined wide-area-networking (SD-WAN) and the security-oriented Software Defined Perimeter.

If you don't use a password manager, your accounts are probably at risk (Futurism) Setting one up is easier than ever.

Stellar pledges to give away $120 million in XLM to Keybase users (Yahoo) Stellar Lumens is planning another huge giveaway after pledging to airdrop $120 million worth of its premined XLM token to users of messaging app Keybase. This is not the first time the five-year-old cryptocurrency has given away tokens. Coin Rivet reported on the company's $125 million giveaway

Viasat's Suite of Network Encryption Products Available for Use by Five Eyes Coalition Forces (Yahoo) Interoperability of Network Encryption Products Enables Coalition Militaries to Securely Protect Critical Information and Improve Mission Effectiveness across a Diverse Battlespace LONDON , Sept. 10, 2019 ...

EfficientIP Announces World’s First Edge DNS Global Server Load Balanc (PRWeb) EfficientIP, a leading provider of network security and automation solutions specializing in DDI (DNS-DHCP-IPAM), today announced the release of the industry’s fi

Pulse Secure helps Hogarth Worldwide to improve secure access with Zero Trust approach (West) Hogarth selected Pulse Secure’s VPN and NAC solutions to ensure its workforce is authenticated, authorized and secure

Technologies, Techniques, and Standards

Analysis | The Cybersecurity 202: How counties are war-gaming Election Day cyberattacks (Washington Post) They're on the front lines.

People vs. Machine in the Security Clearance Reform Debate (ClearanceJobs) The government has always emphasized the ‘people’ aspect of the security clearance process.

Cybersecurity world watched New Bedford's response to ransomware (southcoasttoday.com) New Bedford’s ransomware attack has gotten noticed in the world of information security.The industry website Bankinfosecurity.

How a small business should respond to a hack (CSO Online) With small business finding itself in hackers’ crosshairs as much as the big boys, it’s imperative to have an immediate response plan in the event of an attack.

Design and Innovation

BBC Teams Up With Facebook, Google, Twitter On New Strategy To Fight Fake News Online (Tech Times) The BBC crafted a new strategy to prevent the spread of fake news meant to mislead voters or endanger lives. The new strategy will involve the adoption of an 'early warning system' to stop disinformation campaigns before they circulate online.

Academia

Regis plans to use its own cyberattack as security lesson for students (KUSA) Days before the fall semester began, Regis University experienced a cyber attack. IT professionals are in the process of cleaning 1,800 campus computers.

On the Attack: Auburn University is a National Leader in Cybersecurity (Yahoo) Auburn University and the Samuel Ginn College of Engineering are taking the lead as an institution on the forefront of cybersecurity research and professional preparedness in the industry. Interdisciplinary research and collaboration through the Charles D

Grand Forks student named a CyberCorps Scholar (Grand Forks Herald) news, sports, opinion, entertainment, business, lifestyle, milestones, obituaries and weather for Grand Forks, ND

Legislation, Policy and Regulation

Why Isn’t China Salami-Slicing in Cyberspace? (The Diplomat) It’s time to start thinking about engaging with the digital variant of this favorite Chinese foreign policy dish.

Margrethe Vestager’s vast new powers (POLITICO) The Danish politician returns to the Commission in an unprecedented role to direct and enforce European digital policy.

UPDATE: Brazil’s Data Protection Law Moves Forward (Cooley) The final version of Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD), was approved by the Brazilian Federal Senate in May 2019 and sanctioned by President Jair Bolsonaro in July…

Trump Administration Unveils New Sanctions Related to Terror Financing (Wall Street Journal) The Treasury and State Department blacklisted dozens of people, currency-exchange houses and companies allegedly associated with U.S.-designated terror groups.

Trump extends national emergency on foreign election interference (TheHill) President Trump on Tuesday issued a notice extending a national emergency declaration over foreign interference in U.S. elections.

Trump fires John Bolton as national security adviser (NBC News) One official, speaking on the condition of anonymity, said Afghanistan “broke open the bottom of the bag” in a relationship that had been eroding.

Bolton out as national security adviser after clashing with Trump (Washington Post) Bolton, who was Trump’s third national security adviser, took issue with the president’s assertion that he was fired, saying that he had offered his resignation.

Trump Axes Bolton via Twitter (Foreign Policy) Another national security advisor departs the White House after losing a series of policy battles.

Breaking Point: How Trump and Bolton Finally Hit Their Limit (Time) As President Donald Trump prepared in recent weeks to meet in person with Taliban negotiators at Camp David and with Iranian President Hassan Rouhani in...

Bolton was odd choice for Trump's foreign policy team (Reuters) John Bolton was always an odd fit to be U.S. President Donald Trump's natio...

Trump names Bolton's deputy to be acting national security adviser; Muslim-American group derides choice (Fox News) White House spokesperson Hogan Gidley announced Tuesday afternoon that Charles Kupperman would serve as acting national security adviser until President Trump names a permanent replacement for John Bolton next week.

Fevered speculation over John Bolton's replacement as national security adviser (Fox News) A crop of potential candidates for national security adviser is emerging in the wake of John Bolton's abrupt dismissal from the White House on Tuesday.

Why the US needs to improve intelligence sharing on Russian military activities with NATO allies (Military Times) The U.S. should step up its distribution of intelligence with all NATO members to weaken Russian influence attempts and to help unify the alliance, in the event Russia targeted an attack against a NATO ally, a new report says.

What does state-of-the-art cybersecurity look like to the Pentagon? (Fifth Domain) The Department of Defense is cracking down on contractor cybersecurity.

Executives Say $1 Billion for AI Research Isn’t Enough (Wall Street Journal) The announcement of a nearly $1 billion federal commitment toward artificial-intelligence research drew a mixed response from business leaders who said the U.S. needs to do more to maintain a competitive edge in AI.

51 tech CEOs send open letter to Congress asking for a federal data privacy law (ZDNet) CEOs who signed: Amazon, AT&T, Dell, IBM, SAP, Salesforce, Visa, Mastercard, and JP Morgan Chase.

Opinion | I Work for N.S.A. We Cannot Afford to Lose the Digital Revolution. (New York Times) Technology is about to upend our entire national security infrastructure.

Litigation, Investigation, and Enforcement

281 Alleged Email Scammers Arrested in Massive Global Sweep (Wired) The most sweeping takedown yet of so-called BEC scammers involved arrests in nearly a dozen countries.

281 Arrested Worldwide in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes (US Department of Justice) Federal authorities announced today a significant coordinated effort to disrupt Business Email Compromise (BEC) schemes that are designed to intercept and hijack wire transfers from businesses and individuals, including many senior citizens. Operation reWired, a coordinated law enforcement effort by the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of the Treasury, U.S. Postal Inspection Service, and the U.S. Department of State, was conducted over a four-month period, resulting in 281 arrests in the United States and overseas, including 167 in Nigeria, 18 in Turkey and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the United Kingdom (UK). The operation also resulted in the seizure of nearly $3.7 million.

US Secret Service probing breach at federal IT contractor (SC Magazine) Credentials and email messages pilfered in a breach of a US government contractor were auctioned off in a Russian cyber-crime site in August. The US Secret Service is on the trail

Secret Service Investigates Breach at U.S. Govt IT Contractor (KrebsOnSecurity) The U.S. Secret Service is investigating a breach at a Virginia-based government technology contractor that saw access to several of its systems put up for sale in the cybercrime underground, KrebsOnSecurity has learned. The contractor claims the access being auctioned off was to old test systems that do not have direct connections to its government partner networks.

Spy Oleg Smolenkov told CIA how President Putin meddled in election (Times) A CIA spy at the heart of the Kremlin was identified yesterday as a member of President Putin’s administration who fled to the US via the Balkans. Oleg Smolenkov, 50, is said to have had access to...

Trump skeptical of using foreign spies to collect intel on hostile countries, sources say (CNN) President Donald Trump has privately and repeatedly expressed opposition to the use of foreign intelligence from covert sources, including overseas spies who provide the US government with crucial information about hostile countries, according to multiple senior officials who served under Trump.

Google & Apple pushed to reveal gun scope app users’ names to feds (Naked Security) It’s a first: The government has never demanded personal data of a single app’s users from Apple & Google.

Taylor Swift Once Threatened Microsoft Over Artificial Intelligence Named ‘Tay’ (Yahoo Entertainment) Don't mess with Taylor.

Cobalt Dickens is back, phishing for universities. Patch Tuesday. US election security. Operation reWired collars BEC hoods.

Bring your own context.