The CyberWire Daily Briefing, 10.18.19

Summary

By the CyberWire staff

ESET describes a Trojanized TOR browser that warns victims that they're vulnerable to police snooping because their browser is out-of-date. The bogus update page to which the unwary are redirected installs malware that enables the crooks to steal cryptocurrency, mostly Qiwi and Bitcoin. The caper is conducted in Russian and is directed against Russian-speaking visitors to various darknet sites.

ESET has also reported that older and unpatched versions of Amazon's Kindle and Echo are vulnerable to key reinstallation attacks that exploit WiFi vulnerabilities to achieve man-in-the-middle status.

Upstream says it's caught the popular Android app Snaptube engaged in large-scale clickfraud.

A site offering the putative iPhone jailbreak "Checkrain" is, Cisco Talos warns, enrolling visitors in an ad-fraud campaign.

While Apple CEO Cook mollifies Beijing (as WIRED describes), Facebook's Zuckerberg said yesterday that his company is not only uninterested in returning to business in China, the Telegraph reports. Mr. Zuckerberg expressed Facebook's strong commitment to free speech as grounds for refusing to moderate political content.

TASS is authorized to state that, while the enemy of my enemy may not exactly be my friend, he could at least be my cooperating law enforcement agency. The Moscow Times has some information on US assistance to Russia's FSB in a Russian domestic counter-terror operation. What terrorist group was implicated isn't publicly known, but the US has in the past given Russia intelligence on Islamist operations.

Nevertheless, Russo-American relations in cyberspace aren't all rainbows and unicorns: Cozy Bear, after all, has resurfaced in the news.

Join 300+ cyber security peers on Oct 22 in DC – Use DMV30 for 30% OFF

Notes.

Today's issue includes events affecting Australia, Canada, China, Egypt, Indonesia, Iran, Nigeria, Russia, Turkey, United Kingdom, United States, Venezuela and Vietnam

Bring your own context.

An old insight, worth repeating in the context of cybersecurity training, including such exercises as capture-the-flag competitions.

"There is a battlefield analogy, and that is, you want to go into battle with people that you trust, that you have experience with, that you can anticipate their every move. And I think it's like that. Even though it's a little bit of a different analogy, but it's like that in the corporate world as well. You want to train like you fight, and you want to fight like you train. And this is a great way to do it, and it's a fun way, and it keeps people interested."

—Justin Harvey, global incident response leader at Accenture, on the CyberWire Daily Podcast, 10.16.19.

Flavius Josephus said it was the secret to the Roman army's success: "Their drills are bloodless battles; their battles are bloody drills."

Try cloud-native network detection and response for free!

ExtraHop Reveal(x) Cloud is SaaS-based NDR for AWS, giving you complete visibility, real-time detection, and automated threat response in the cloud. Request your free 30-day trial today.

On the Podcast

In today's Daily Podcast, out later this afternoon, we speak with our partners at Cisco Talos, as Craig Williams describes Tortoiseshell's fake veteran’s job site. Our guest is Caleb Barlow from Cynergistek discussing the challenges of securing medical records.

Sponsored Events

Industrial Control Systems (ICS) Cyber Security Conference (Atlanta, Georgia, United States, October 21 - 24, 2019) SecurityWeek’s ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions. Since its first edition in 2002, the conference has attracted a continually rising interest as both the stakes of critical infrastructure protection and the distinctiveness of securing ICSs become increasingly apparent.

Georgetown University Programs in Cybersecurity Webinar (Online, October 29, 2019) We invite you to learn more about the Master's and Graduate Certificate in Cybersecurity Risk Management at Georgetown University. Our programs prepare you with hands-on practice developing and executing integrated strategies, policies, and safeguards to manage cybersecurity risks across an enterprise. Register for a free webinar on October 29 at noon ET to learn more.

IMAGINE, A MISI salon-style bespoke dinner event (Columbia, Maryland, United States, November 1, 2019) IMAGINE a world where more young women can see themselves in the faces of the legendary women of science & technology – and say, "Yes I can!" The event on November 1 is a fundraiser in support of the region's unique and inclusive STEM program and will be held at the DreamPort Facility in Columbia Maryland. While its focus is on the under-represented young women, young men are also included in MISI's STEM programs.

NXTWORK 2019 (Las Vegas, Nevada, United States, November 11 - 13, 2019) Join us at NXTWORK 2019 to learn, share, and collaborate with GameChangers from companies across the networking industry. This year’s event features keynotes from Juniper executives, as well as special guest speaker Earvin “Magic” Johnson, along with 40+ breakouts and master classes led by Distinguished Engineers, as well as various opportunities for certification testing and training.

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

500+ Million UC Browser Android Users Exposed to MiTM Attacks. Again. (BleepingComputer) The highly popular UC Browser and UC Browser Mini Android apps, with a total of over 600 million Play Store installs, exposed their users to MiTM attacks by downloading an Android Package Kit (APK) from a third party server over unprotected channels.

'The Dukes' (aka APT29, Cozy Bear) threat group resurfaces with three new malware families (Computing) The cyber gang has largely remained in dark since breaching the systems of Democratic National Committee in 2016.

Russian Cyber Unit That Went Dark After Hacking DNC Is Still Spying (The Daily Beast) The hackers, also known as Cozy Bear, who are linked to Russian intelligence have been using Twitter and Reddit forums to send coded messages.

Eager iOS jailbreakers tricked into click fraud (iTnews) Checkrain fake jailbreak site borrows pics of real researchers.

European Airport Systems Infected With Monero-Mining Malware (BleepingComputer) More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign spotted during August 2018 by Zscaler.

Unpatched Linux bug may open devices to serious attacks over Wi-Fi (Ars Technica) Buffer overflow can be triggered in Realtek Wi-Fi chips, no user interaction needed.

New Amazon Echo Warning As Wi-Fi Cyberattack Risk Confirmed (Forbes) Security researchers have confirmed that millions of Amazon Echo and Kindle devices could be vulnerable to the so-called KRACK attack. Here’s what you need to know…

A malicious Tor browser is helping scammers steal bitcoin, researchers say (CyberScoop) Thieves are using malware that masquerades as Tor, the anonymizing internet browser, to steal money from Russian-speaking people on the dark web, researchers said Friday.

This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users (Cofense) The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest credentials from Stripe, the online payment facilitator handling billions of dollars annually, making it an attractive target for threat actors seeking to use compromised accounts to gain access to payment card information and defraud consumers.

Popular app Snaptube accused of ad fraud, say researchers (TechCrunch) A popular video downloader app for Android has been found generating fake ad clicks and unauthorized premium purchases from its users, according to a security firm. Snaptube, which boasts some 40 million users, allows users to download videos and music from YouTube, Facebook and other major video s…

Secure-D uncovers non-human clicks and subscriptions from popular Android app Snaptube (Upstream) Upstream’s security platform Secure-D has detected and blocked more than 70 million suspicious mobile transaction requests coming from the Android app Snaptube in just six months. Snaptube has been delivering invisible ads, generating non-human clicks and purchases, then reporting them as real views, clicks and conversions to the advertising networks that serve them. The ads …

Researcher releases PoC rooting app that exploits recent Android zero-day (Help Net Security) Researcher built on PoC exploit for CVE-2019-2215 and released a PoC rooting app that exploits the recently flagged Android privilege escalation flaw.

Pen testers find mystery black box connected to ship’s engines (Naked Security) It had an Ethernet connection to the ship LAN but was also connected to a Windows console on the bridge which was so bright at night the crew had covered it up. The assumption had been that it was …

Pixel 4 Face Unlock works if eyes are shut (BBC News) Google confirms its new security system may unlock a person's device even if their eyes are shut.

Samsung says will soon patch Galaxy S10 fingerprint recognition problem (Reuters) Samsung Electronics Co Ltd said on Thursday it will soon roll out a software pat...

The most popular ransomware strains targeting UK businesses (IT PRO) What threats you're likely to face can significantly depend on the region in which you operate

Malware targets individual healthcare employees, not always VIPs (Healthcare Dive) Malicious emails most often used URLs (77% of cases) rather than attachments to deliver infected code, according to a report from cybersecurity vendor Proofpoint.

Job applicants worried as hundreds of thousands of CVs exposed online (Sky News) "I am worried about the fact that my address is out there and my phone number," an affected person told Sky News.

Attribution is hard: the incredible skullduggery used to try to blame the 2018 Olympic cyberattack on North Korea (Boing Boing) Wired has published another long excerpt from Sandworm, reporter Andy Greenberg’s (previously) forthcoming book on the advanced Russian hacking team who took the US-Israeli Stuxnet program to…

Inside Olympic Destroyer, the Most Deceptive Hack in History (Wired) The untold story of how digital detectives unraveled the mystery of Olympic Destroyer—and why the next big cyberattack will be even harder to crack.

Microsoft Ending Support for Windows 7 and Windows Server 2008 R2 (CISA) On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems.[1] After this date, these products will no longer receive free technical support, or software and security updates. Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2.

AVEVA Vijeo Citect and Citect SCADA (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: AVEVA Equipment: Vijeo Citect and Citect SCADA Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION The IEC870IP driver for Vijeo Citect and Citect SCADA has a buffer overflow that could cause a server-side crash.

Horner Automation Cscape (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Low skill level to exploit Vendor: Horner Automation Equipment: Cscape Vulnerabilities: Improper Input Validation, Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could crash the device being accessed, which may allow the attacker to access information and execute arbitrary code.

Vic cyber attack recommendations ignored (Newcastle Herald) Two years after a cyber attack compromised Victoria's road safety cameras a series of "urgent recommendations" to fix vulnerabilities still haven't been done.

Beware the square: how to spot malicious QR codes (Sophos News) QR codes can help you buy tickets, speed up logins and streamline software installation. But, when you scan one, how can you be sure that it’ll take you to a legitimate website?

Security Patches, Mitigations, and Software Updates

Cisco fixes serious flaws in enterprise-grade Catalyst and Aironet access points (Help Net Security) Cisco has released another batch of security updates, the most critical of which fix several risky Cisco Aironet vulnerabilities.

VMware patches critical bug in Harbor Container Registry for PCF (SC Magazine) VMware issues security advisory acknowledging a critical 'broken access control' vulnerability found in VMware Cloud Foundation and Harbor Container Registry for Pivotal Cloud Foundry

Cyber Trends

The System is Broken — 55% Believe their PII is already in the hands of Criminals (Medium) Imagine that you arrive at your home after a relaxing dinner with your family. You get to your front door and you realize that it’s wide…

Executives are not actively engaged in ensuring the effectiveness of cybersecurity strategy (Help Net Security) There's a clear lack of accountability, especially among C-suite executives, and a lack of confidence in determining the efficacy of security technologies.

How to make money with 5G? Surveillance! (CRN Australia) Outdoor cameras are the main market until 2023 when cars will take over, says Gartner.

20 Data Security Risks Your Company Could Face in 2020 (IT Security Central - Teramind Blog) This piece was originally published in Hackernoon. Today, data security is top of mind for companies, consumers, and regulatory bodies. After years of unfettered participation in the data-driven digital age...

Marketplace

Defiant Zuckerberg Says Facebook Won’t Police Political Speech (New York Times) In an address at Georgetown University, the Facebook chief executive called for more free speech — not less — as his company has been assailed for allowing lies and falsehoods to appear.

Mark Zuckerberg signals Facebook won't return to China as he calls on tech firms to defend free speech (The Telegraph) Facebook has effectively given up on bringing its services to China, its chief executive Mark Zuckerberg has confirmed, signalling a decisive end to the social media giant's ambition to enter that market.

Apple's Good Intentions on Privacy Stop at China's Borders (Wired) As pro-democracy protests continue in Hong Kong, the tech giant’s troubling relationship with an authoritarian regime has come into focus.

Splunk investing big in data startups with new Splunk Ventures (ITWire) Machine data aggregator and analytics software company Splunk has announced a $US150m fund to invest in data startups.

Avast boosts cyber security sales to $218m (CityAM) Avast posted growing sales in its third quarter despite shedding off its managed workplace and business divisions, it reported today.

Lookout App Defense penetrates global markets with new customers and strategic partnerships, helping customers prevent data compromise in mobile apps (Lookout) App Defense helps enterprises protect their customer facing apps from data compromise and fraudulent transactions. Breaches can have a significant impact on brands as hackers can compromise consumers credentials, steal PII data and initiate account takeovers.

LoginRadius Joins Cloud Security Alliance (CSA) (Technuter) LoginRadius announced their membership with Cloud Security Alliance (CSA). CSA is a not-for-profit organization that attracts a diverse and extensive network of 80,000 cybersecurity experts. CSA’s activities, knowledge, and global platform provide members with tools for creating and maintaining a robust and trusted cloud ecosystem.

Remember When I Said Buy CrowdStrike Dips? This Looks Like One of Those Times (The Motley Fool) The hot cybersecurity IPO has reversed course and is back where it started.

Axonius Appoints Lenny Zeltser As Chief Information Security Officer (PRWeb) Axonius, the cybersecurity asset management company, today announced Lenny Zeltser has been named Chief Information Security Officer (CISO). Previously serving a

CyberX Appoints Ron Zoran to Board of Directors (CyberX) Experienced Security Executive Joins Board of Fast-Growing IoT/ICS Security Firm

Products, Services, and Solutions

New infosec products of the week: October 18, 2019 (Help Net Security) New infosec products for this week include releases from the following vendors: Pradeo, Elastic, Symantec, CounterFlow AI and Trustwave.

Finnair, Finavia pilot biometric authentication in air travel (Paypers) Finnair and Finavia have tested the use of biometric authentication in air travel.

Privacy-focused Brave browser boasts 8M monthly active users (The Block) Privacy-focused internet browser Brave has hit 8 million-mark in terms of monthly active users. Announcing the news on Wednesday, Brave said daily active users, on the other hand, have surpassed the 2.8 million mark. The browser, with opt-in blockchain functionality, also compensates content creators, users and advertisers in its native Basic Attention Token (BAT) for …

AWS creeps closer to on-prem ops with VMware tie-up (CRN Australia) Cloud DBA tool RDS now runs in on-prem vSphere.

Trustwave Reimagines How Security Testing is Procured and Managed (BusinessWire) Trustwave Security Testing Services is comprehensive portfolio of security testing, scanning and vulnerability management offerings.

Technologies, Techniques, and Standards

Catalan Protesters Are Told to Avoid IPhone, Stick to Android (Bloomberg) Catalan independence activists looking for information on how to take part in the next protest against Spain can rely on a handy, two-day old app for details on when and where to go. The only catch: the app doesn’t work on iPhones.

Design and Innovation

Electronic warfare as easy as changing a light bulb (C4ISRNET) To avoid the dreaded

Academia

The Delicate Ethics of Using Facial Recognition in Schools (Wired) A growing number of districts are deploying cameras and software to prevent attacks. But the systems are also used to monitor students—and adult critics.

Legislation, Policy and Regulation

Reassessing U.S. Cyber Operations against Iran and the Use of Force (Just Security) "There is good reason to conclude the United States may have crossed the use of force threshold with this cyber operation."

We are at war in cyberspace and doing too little about it (Idaho Statesman) The recent public safety power shutoff by Pacific Gas and Electric (PG&E) has drawn critics far beyond the more than 700,000 homes or businesses that lost electricity in northern California. California’s top utility regulator said that the “scope, scale, complexity and overall impact to people’s lives, businesses and the economy cannot be overstated.”

Analysis | The Cybersecurity 202: Huawei looks to Europe to counter U.S. claims it can’t be trusted (Washington Post) Europe has rebuffed U.S. entreaties to ban Huawei from 5G networks.

NBA-China controversy shows why US needs to be careful about Huawei, FCC commissioner says (CNBC) "This NBA issue ... shows how China can leverage all sorts of different levers to exert and have people toe its own political line," Brendan Carr says

Confronting cyber threats to businesses and personal data (GOV.UK) British businesses and the public are set to be better protected from hostile cyber-attacks and online threats like disinformation and cyber-bullying.

Russia says it is starting to resume U.S. cyber cooperation: TASS (Reuters) Russia and the United States are gradually starting to resume cooperation on cyb...

Palapa Ring Launch; Jokowi Calls for Halt to Social Media Hatred (Tempo) In the launch of the Palapa Ring project, President Jokowi calls on the public to stop spreading hate, slanders, hoaxes, and fake news.

Facebook’s Mark Zuckerberg Defends Free Speech Amid Calls for Tighter Controls (Wall Street Journal) In a rare policy speech that could have ramifications for the U.S. presidential campaign and social movements world-wide, the Facebook CEO asserted his commitment to free speech amid call for tighter controls.

Facebook CEO Mark Zuckerberg says in interview he fears ‘erosion of truth’ but defends allowing politicians to lie in ads (Washington Post) Facebook chief executive Mark Zuckerberg said in an interview with The Washington Post that he worries “about an erosion of truth” online but defended the policy allowing politicians to peddle ads containing misrepresentations and lies on his social network, a stance that has sparked an outcry during the 2020 presidential campaign.

Space Industry Seeks Designation as Critical Infrastructure (Air Force Magazine) A new industry group set up to share intelligence about cyber threats to space-based assets like satellite communications will be lobbying the Trump administration to designate commercial space systems as critical national infrastructure.

Opinion | Robert C. O’Brien: Here’s how I will streamline Trump’s National Security Council (Washington Post) To achieve these policy staffing goals, we will eliminate existing vacancies and consolidate duplicative positions.

What’s new in the Army’s data strategy? Security (Fifth Domain) A new data strategy for the Army that could help the service's artificial intelligence task force is under review by senior leaders.

Litigation, Investigation, and Enforcement

U.S. Helped Moscow Foil Recent Terror Plot With Intel, FSB Says (The Moscow Times) “We pay them back and provide assistance and support," Russia's security chief said.

Ninth Circuit Restricts Immunity for Filtering Objectionable Content (Cooley) Companies that make anti-virus and similar software that helps internet uses guard against dangerous online content must now think twice about whether they can be sued for their decisions about wha…

ENIGMA SOFTWARE GROUP USA, LLC, Plaintiff-Appellant, v. MALWAREBYTES, INC., Defendant-Appellee. (United States Court of Appeals for the Ninth Circuit) The panel reversed the district court’s dismissal, as barred by § 230 of the Communications Decency Act, of claims under New York law and the Lanham Act’s false advertising provision.

How to Address Newly Revealed Abuses of Section 702 Surveillance (Just Security) Last week's FISA Court opinions provide even more evidence that the current system fails to adequately protect Americans’ privacy.

Pentagon Unclear on Extent of Environmental, Cyber Threats to Military Bases (USNI News) The DoD doesn't know the cost or scope of the threats posed by severe weather and cyber attacks to its bases, the Pentagon’s top property manager said.

Facebook co-founder and critic Chris Hughes spearheads a $10 million ‘anti-monopoly’ fund (Washington Post) Hughes and his allies are putting new money toward a new "anti-monopoly" fund, hoping to harness heightened interest around big tech into a broader movement to analyze, regulate or dismantle behemoths in agriculture, healthcare and other industries where he says competition is lacking and consumers feel the pain.

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Cybersecurity for Small Businesses (Hazelton, Pennsylvania, USA, November 13, 2019) During the conference, attendees will learn how cybersecurity affects entrepreneurship, why small businesses are easy victims of cyberattacks, the impact of small business cyberattacks, and common security risks to small businesses. They will also hear about resources to assist small businesses with preemptive techniques to help resist cyberattacks.

upcoming Events

Industrial Control Systems (ICS) Cyber Security Conference (Atlanta, Georgia, USA, October 21 - 24, 2019) SecurityWeek’s ICS Cyber Security Conference is the conference where ICS users, ICS vendors, system security providers and government representatives meet to discuss the latest cyber-incidents, analyze their causes and cooperate on solutions. Since its first edition in 2002, the conference has attracted a continually rising interest as both the stakes of critical infrastructure protection and the distinctiveness of securing ICSs become increasingly apparent.

PCI SSC 2019 Europe Community Meeting (Dublin, Ireland, October 22 - 24, 2019) The PCI Security Standards Council’s 2019 Europe Community Meeting is the place to be. We will provide you with the information and tools to help secure payment data. We lead a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent criminal attacks and breaches.

Omaha Cybersecurity Conference (Omaha, Nebraska, USA, October 24, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel with three-to-five local CISOs discuss real-world problems and solutions.

Florida Cyber Conference 2019 (Tampa, Florida, USA, October 24 - 25, 2019) Join hundreds of stakeholders from Florida's cybersecurity community and beyond for innovative content, in-depth discussion, hands-on demos, networking, and more! With more than 20 breakout sessions across multiple themed tracks, pre-conference workshops, a capture-the-flag competition, and interactive experiences, Florida Cyber Conference 2019 is a can't-miss event for Florida's cybersecurity community.

National Security Leaders Symposium (Naples, Florida, USA, October 27 - 29, 2019) If there is anything that unifies CISOs, change is the one constant. For 2019, the focus is on the rapid evolution of the security industry, the rising tide of visibility on security organizations, and the high stakes at play in terms of cyber threats. From the outlook for 2019 and beyond, tech shaping the future, CISO role innovation and quantum leaps in cyber- to the ways that agents of change are affecting the role of the CISO in the future, the National Security Leaders Symposium is sure to deliver on what security leaders need to see over the horizon.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.