The CyberWire Daily Briefing, 10.4.19

Cyber Attacks, Threats, and Vulnerabilities

Evidence tying Cobalt Group to Magecart Group 4 unveiled (SC Magazine) Security firms Malwarebytes and HYAS string together several pieces of evidence that they believe tie Magecart Group 4 to the Cobalt Group

Lessons from the ANU cyberattack | The Strategist (The Strategist) Australian National University Vice Chancellor Brian Schmidt’s public release of a detailed report on the damaging cyberattack on ANU systems and data marks a refreshing shift in behaviour on cybersecurity for Australian public institutions. The ...

Uzbekistan's SandCat APT exposed itself by testing malware against commercial anti-virus software (Computing) SandCat developed malware on PCs running antivirus software - which transmitted binaries of dodgy files back to Kaspersky researchers

Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV (Ars Technica) SandCat revealed because Uzbek intelligence agency is bad at OPSEC.

How Uzbekistan's security service (allegedly) began developing its own malware (CyberScoop) Uzbekistan's security service appears to be shedding its hacking training wheels and making a lot of noise in the process.

Meet Candiru — The Mysterious Mercenaries Hacking Apple And Microsoft PCs For Profit (Forbes) Candiru, one of Israel's most secretive hacker-for-hire businesses, has done a fine job of staying under the radar for its four years of existence. But now it's being exposed thanks to a sloppy customer, a researcher claims.

Warning over Reductor malware that manipulates browsers' random number generator to hijack HTTPS traffic (Computing) Reductor malware can also replace legitimate installers from third-party websites with infected ones on-the-fly, claims Kaspersky.

'Lost Files' Data Wiper Poses as a Windows Security Scanner (BleepingComputer) A Windows Security Scanner that states it encrypted your files is being distributed by spam, but whether by bug or design, it instead corrupts binary data in a victim's files.

Minerva attack can recover private keys from smart cards, cryptographic libraries (ZDNet) Older Athena IDProtect smart cards are impacted, along with the WolfSSL, MatrixSSL, Crypto++, Oracle SunEC, and Libgcrypt crypto libraries.

Egyptian government caught tracking opponents and activists through phone apps (Register) Intelligence services developed system, says security outfit

This new hacking group is using 'island hopping' to target victims (ZDNet) This year's series of cyber attacks against the aerospace and defense industries has been attributed to China's APT10 and JSSD. But it appears that the real culprit is a previously unknown organisation

Cyber-Spy Group Active Since 2013 Now Tied to Chinese State Actor (BleepingComputer) Multiple cyber-espionage campaigns that remained unattributed over the years have now been linked to a single threat actor that researchers named PKPLUG, attacking targets across Asia.

Chinese cyberespionage group PKPLUG uses custom and off-the-shelf tools (CSO Online) A previously unknown group or collective associated with China is targeting victims in Asia, possibly for geopolitical gain.

Bank of Ireland warns customers about new phishing text scam (Extra.ie) Bank of Ireland is warning customers to be vigilant after it emerged that a new phishing text scam is doing the rounds.

PDF encryption standard weaknesses uncovered (Naked Security) Researchers have discovered weaknesses in PDF encryption which could be exploited to reveal the plaintext contents of a file to an attacker.

The Internet’s Horrifying Way to Get Google Apps on Huawei Phones (Wired) Just make a Chinese website your device's remote administrator. It'll be fine!

Attackers exploit 0day vulnerability that gives full control of Android phones (Ars Technica) Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others.

Google finds Android zero-day impacting Pixel, Samsung, Huawei, Xiaomi devices (ZDNet) Vulnerability was patched in older Android OS versions, but resurfaced in newer releases.

Four U.S. Food Chains Disclose Payment Card Theft via PoS Malware (BleepingComputer) Hackers caused havoc at four restaurant chains in the U.S. over the summer after compromising their payment systems with malware that stole customers' payment card information.

Sberbank Hit by Huge Data Breach (The Moscow Times) Millions of customers’ data found on black market in Russian banking’s largest ever cybersecurity leak.

Zendesk announces data breach impacting years-old accounts (CyberScoop) Up to 10,000 Zendesk support and chat accounts may be impacted by a 2016 data breach, the San Francisco-based company announced Wednesday.

Security Flaw Discovered That Could've Wiped Out $7 Million in Dai Collateral (CryptoGlobe) A security flaw discovered in the upcoming Multi-Collateral Dai system being developed by stablecoin organization MakerDAO could have resulted in the loss of assets that back the digital token.

Ransomware attacks paralyze, and sometimes crush, hospitals (Naked Security) New attacks on the perennially besieged sector have crippled hospitals in the US and Australia and caused one health clinic to shut down.

Hospitals in US, Australia hobbled by ransomware (WeLiveSecurity) Several hospitals in the US and Australia have been struck by ransomware attacks, forcing them to cancel all but the most urgent appointments and surgeries.

3 Ontario hospitals hit with ransomware attack: Could more be at risk? (CBC) Hackers have crippled the computer systems of three Ontario hospitals in recent weeks, prompting concern about the type of malicious software used and whether more facilities may be at risk.

EA website balls-up exposes personal details of FIFA 20 players (Inquirer) Gaming giant EA has suffered a security major balls-up after its website leaked the personal details of gamers signing up for its FIFA 20 Global Series competition.

NC State Bar says it was target of ransomware attack (WSOC) The North Carolina State Bar says it was the target of a ransomware attack this week.

The checkm8 Exploit Can't Be Patched, and It Affects Millions of iPhones ( How to, Technology and PC Security Forum | SensorsTechForum.com) The worst part of checkm8 is that once a jailbreak is performed, there’s no way for Apple to fix or patch the device with a future software update.

Interpeak IPnet TCP/IP Stack (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available Vendors: ENEA, Green Hills Software, ITRON, IP Infusion, Wind River Equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, ZebOS by IP Infusion, and VxWorks by Wind River Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow, Integer Underflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Race Condition, Argument Injection, Null Pointer Dereference

Northshore cyber attack effects continue (Bothell-Kenmore Reporter) The district’s phone system operational; food services and StudentVue/ParentVue are still down.

Security Patches, Mitigations, and Software Updates

Microsoft Releases Windows Security Updates to Fix Printing Issue (BleepingComputer) Microsoft today released out of band security updates, cumulative updates, and monthly rollup updates to address a printing issue plaguing all Windows client and server versions acknowledged on September 30.

October 2019 Patch Tuesday forecast: Be sure to apply service stack updates (Help Net Security) Chris Goettl from Ivanti talks about service stack updates and offers his October 2019 Patch Tuesday forecast. Read more to learn what's in store.

Microsoft will continue providing Windows 7 security updates for SMBs (Help Net Security) SMBs that don't want or can't upgrade from Windows 7 will be able to get extended security updates (ESU) through January 2023 - for a price, of course.

HackerOne User Reveals Critical Bug Through MakerDAO Bounty Program (Cointelegraph) HackerOne user reveals critical bug in MakerDAO’s planned Multi-Collateral Dai upgrade that could have resulted in a complete loss of funds for all Dai users.

Cyber Trends

Code42 2019 Global Data Exposure Report Finds 69% of Security Leaders Say Data Loss Prevention Cannot Stop Insider Threat (BusinessWire) Code42 releases its 2019 Global Data Exposure Report, which finds 69% of security leaders say data loss prevention cannot stop insider threat.

2019 Data Exposure Report (Code 42) Most organizations have some kind of data loss prevention strategy in place. However, that strategy typically ignores one of the greatest threats to data: the threat posed by employees.

Microsoft: MFA bypass attacks are so rare we don't have good statistics on them (ZDNet) Microsoft security expert also ranks authentication factors based on their ability to fend off attackers.

Good cybersecurity comes from focusing on the right things, but what are they? (Help Net Security) "There is no wrong way into the security field and it's never too late to make a career switch that will take you there," says Mark Orlando, CTO at

Survey Suggests Ransomware Broadening Perceptions of Cyber Risks (Claims Journal) Corporate risk managers are increasingly focusing on protecting their enterprises from business interruption after a series of ransomware attacks on

Marketplace

How security programs and breach history influence company valuations (Help Net Security) Cybersecurity audits are not only commonplace but are actually standard practice during M&A transaction preparation, according to (ISC)2.

How cyber-security is demonstrated to result in more valuable companies (SC Magazine) Cyber-security readiness can have both positive and negative affects on company valuations when assessing acquisition targets. So how do you assess cyber-capability for M&A purposes?

Executives have to make cybersecurity a priority in order to secure their business (Help Net Security) Optiv releases a report to help increase the understanding of the cyber threat landscape and offer best practices for organizations facing these threats.

What FireEye Might Fetch in a Buyout, and a Reality Check (247wallst.com) Reports this week suggest that FireEye is working with Goldman Sachs to explore a potential sale of the cybersecurity company.

HP to Cut Up to 9,000 Jobs in New CEO’s Restructuring Plan (Wall Street Journal) Incoming HP Chief Executive Enrique Lores is moving quickly to imprint changes on the computer hardware maker with plans to shrink the company’s ranks by as much as 16% in a restructuring plan that also aims to revive lagging printer sales.

Thales details plans for integrating Gemalto biometrics and digital identity business (Biometric Update) The integration of Gemalto into Thales “Digital Identity and Security” (DIS) will result in average organic sales growth of four percent to six percent between 2020 and 2023, according to an update…

Cybersecurity firm Acronis investing major growth in Arizona (Chamber Business News) Internet security firm F-Secure recently published a report covering the current landscape of cybersecurity attacks and data hygiene in the United States. The report, “Attack Landscape H1 2019,” revealed nearly three billion separate attacks had hit individual Internet of Things (IoT) devices in the first half of the year alone, a surge of 300 percent. …

Texas cyber firm opening office in Howard County (Baltimore Business Journal) CNF Technologies already has about 10 employees in Maryland, and plans to bring on another 15 by the end of 2020.

Products, Services, and Solutions

StackRox Extends Its Security Controls Across Container Operating Systems, Cloud Marketplaces, and Ecosystem Partners (PR Newswire) StackRox, the leader in container and Kubernetes security, announced several new product features to the...

Threat Intelligence: Symantec partners with Anomali (CISO MAG) Threat intelligence platform provider Anomali announced a strategic partnership with Symantec Corp. for threat intelligence-driven solutions.

Kaspersky updates decryption tool to fight ransomware (ITP.net) Kaspersky has updated its RakhniDecryptor tool to allow users whose files were encrypted by Yatron and FortuneCrypt ransomware to retrieve their data without paying a ransom.

Technologies, Techniques, and Standards

Emsisoft releases free decryptor for GalactiCrypter ransomware (Emsisoft | Security Blog) We just released a free decryptor for the GalactiCrypter ransomware strain. Download it here.

Bank of England cyber resilience exercise (Data Protection Report) BoE publish high level findings of the financial sector (“sector”) cyber simulation exercise.

Australian Govt Issues Android and iOS Security Hardening Guides (BleepingComputer) The Australian Signals Directorate (ASD)'s Australian Cyber Security Centre (ACSC) has published a set of two guides designed to help Australian government, commercial organizations, and enterprises harden the security of iOS and Android devices in their fleets.

Tips for Avoiding Remote Connectivity Hacking (National Cyber Security) For the better part of the past decade, online tech support scams have been on the rise as hackers find new ways to trick consumers into providing remote access to their computers in order to steal information.

Security and compliance gaps of ineffective employee onboarding and offboarding (Help Net Security) Ivanti's survey results find significant gaps in the compliant management of employee resources throughout the employment lifecycle.

Face the fax: CIA phasing out hardware for secure email (Fifth Domain) The CIA wants a new way to communicate with industry.

Design and Innovation

Data61 releases dataset that could predict cyber attacks | The Mandarin (The Mandarin) Researchers at CSIRO’s Data61 have developed a public dataset that could help cybersecurity specialists predict future cyberattacks. It comes days after numerous hospitals across Victoria were victims of security attacks.

Australian researchers leading the way in cyber security analysis (Defence Connect) Australian researchers have developed a dataset of global cybersecurity threats, from previous incidents, which they believe could help researchers predict future malicious online activity. The dat

TikTok explains its ban on political advertising (TechCrunch) Already under fire for advancing Chinese foreign policy by censoring topics like Hong Kong’s protests and pro-LGBT content, the Beijing-based video app TikTok is now further distancing itself from U.S. social media platforms, like Facebook, Twitter and Instagram, with a ban on political ads o…

Research and Development

Raytheon developing final phase of Electronic Warfare Planning and Management Tool (PR Newswire) Raytheon (NYSE: RTN) is developing Capability Drop 4 of the Electronic Warfare Planning and Management Tool,...

Quantum computers will change all our lives (Times) In 1970 a British mathematician called James Ellis had one of those lightbulb moments. Ellis, who worked for GCHQ, was trying to find a way of sending messages securely even when someone else is...

Legislation, Policy and Regulation

The EU wants to bind Facebook to its will again – but this time it may have gone too far (The Telegraph) I write a lot about how Facebook is like a government.

Putin jokes that Russia will meddle in 2020 US elections (CNN) Russian President Vladimir Putin poked fun at the ongoing political crisis in the US by joking about election meddling Wednesday.

Why Washington won’t be buying Huawei’s offer to build a US rival (South China Morning Post) The offer to license 5G technology to an American company does not address Washington’s concerns, analysts say, since telecommunications have increasingly been seen as a strategic national security domain and a geopolitical issue.

Analysis | The Cybersecurity 202: Even impeachment isn’t slowing the Trump administration’s Huawei push (Washington Post) Trump pushed a European Huawei ban during a fiery press conference with Finland’s president.

US, UK, and Australia jointly request for Facebook to stop end-to-end encryption plans (ZDNet) Trio call for Facebook to allow law enforcement to obtain lawful access to content in a readable and usable format.

Barr Presses Facebook on Encryption, Setting Up Clash Over Privacy (Wall Street Journal) U.S. Attorney General Bill Barr, citing public safety, is asking Facebook to hold off on plans to add end-to-end encryption throughout its messaging services.

Attorney General Bill Barr Will Ask Zuckerberg To Halt Plans For End-To-End Encryption Across Facebook's Apps (BuzzFeed News) "We are writing to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety."

Facebook Encryption Eyed in Fight Against Online Child Sex Abuse (New York Times) The debate over privacy in the digital age increasingly pits tech companies against law enforcement agencies as explicit imagery explodes.

No federal privacy law will make it in the US this year, sources say (Naked Security) Without one, the companies that collect our data will likely face compliance with California’s take-no-prisoners law, in effect 1 January 2020.

Defense Department to tighten data security after settlement with veterans group (Military Times) A web site used to verify military status was open to potential identity thieves and scammers, advocates charge.

Top U.S. counterintelligence official praises whistleblower protections as espionage threats intensify (CBS News) National Counterintelligence and Security Center director Bill Evanina praised the Whistleblower Protection Act as he unveiled a new "Wall of Spies" experience museum

Cyberspace Solarium leader says private sector's under-investment in security is biggest challenge (Inside Cybersecurity) Leaders of the “Moonshot” initiative and the congressional Cyberspace Solarium Commission are struggling with how to secure the appropriate levels of investment -- and commitments to security -- necessary from both government and the private companies controlling the vast majority of critical infrastructure, they said, and are turning instead to politically

Former officials flag disinformation as top threat to U.S. elections (FCW) Three years after Russia waged a covert propaganda campaign against U.S. voters, the federal government has done little to address the problem through legislation or executive action.

Sir Brian Leveson appointed the second Investigatory Powers Commissioner (SC Magazine) Sir Brian Leveson to lead the IPCO, providing independent oversight and authorisation of the use of investigatory powers by intelligence agencies, police forces and other public authorities.

Litigation, Investigation, and Enforcement

Facebook criticises ECJ ruling on taking down illegal content (Telegraph) Facebook can be forced to remove hateful content worldwide by national courts in the European Union, EU judges ruled on Thursday.

European Court Ruling on Facebook Sets Harmful Precedent (Center for Data Innovation) In response to a European Court of Justice ruling that member states may order hosting providers to remove content worldwide, the Center for Data Innovation released the following statement from Senior Policy Analyst Eline Chivot.

The EU wants to bind Facebook to its will again – but this time it may have gone too far (The Telegraph) I write a lot about how Facebook is like a government.

Trump wanted Ukraine’s president to launch investigations before face-to-face meeting, State Dept. texts show (Washington Post) The messages between State Department officials, an aide to Ukraine’s president and Rudy Giuliani were released by House Democrats as part of their impeachment investigation.

Official: Pentagon didn't listen in on Trump Ukraine call (TheHill) No Defense Department (DOD) officials listened in on the July call between President Trump and the Ukrainian president now at the center of House Democrats’ impeachment inquiry, the P

FBI's new ransomware warning: Don't pay up, but if you do, tell us about it (ZDNet) The FBI is urging all ransomware victims to tell it about the attack whether they choose to pay or not.

Akron hacker sentenced to six years in prison for cyber attack (WEWS) An Akron man will spend the next six years behind bars for hacking the city of Akron and Akron Police Department websites in 2017.

Boeing 737 Max Safety System Was Vetoed, Engineer Says (New York Times) The company passed on the concerns to the Department of Justice as part of a criminal investigation into the engineering of the plane after two fatal crashes.

Boeing rejected 737 MAX safety upgrades before fatal crashes, whistleblower says (Seattle Times) The details revealed in the ethics complaint raise new questions about the culture at Boeing and whether the long-held imperative that safety must be the overarching priority was compromised on the MAX by business considerations and management's focus on schedule and cost.

Accused ringleader faces more charges in GoFundMe ruse involving Marine veteran (Marine Corps Times) A man already charged in state court with scamming donors out of more than $400,000 with a fake feel-good story about a homeless veteran is facing federal charges.

Former U.S. Army interpreter from Iraq gets 30 years for dealing fentanyl on dark web (Reuters) An Iraqi immigrant who worked as a U.S. Army interpreter was sentenced to 30 yea...

Android exploits in the wild. Egyptian intelligence services mount surveillance campaign. PKPLUG identified. Crypto Wars notes.

Bring your own context.