The CyberWire Daily Briefing, 10.22.19

Dateline

Not Blondie, Angel Eyes, and Tuco, but the good, the bad, and the ugly nonetheless (The CyberWire) The state of ICS security: a mixed review, but on balance a hopeful one.

Attacking the operational technology through the operator (The CyberWire) Social engineering leapfrogs technical protections.

Crime as a business (The CyberWire) Black markets and those who work in them have clear economic motives, and they're paying attention to industrial control systems.

New Operational Technology Cyber Security Alliance Launches to Deliver Comprehensive Cyber Security Guidelines for Operational Technology (BusinessWire) Cyber-attacks on critical and industrial infrastructure are on the rise, impacting operational reliability and business risk across all industries, in

Powerful Forces Are Reshaping Continuous OT Monitoring Requirements (Nozomi Networks) Three powerful developments are reshaping the world’s continuous OT monitoring requirements: the rapid convergence of IT/OT security, broader use of corporate SOCs and external security providers, and accelerating digital transformation. Join ARC Advisory Group Vice President Sid Snitkin as he explores the impact each trend is having on core cyber security needs.

Cyber Attacks, Threats, and Vulnerabilities

US, UK: Russian Hackers Hijacked Iranian Malware, Infrastructure (SecurityWeek) Intelligence agencies in the US and UK say the Russia-linked threat group Turla has been using the malware and infrastructure of Iranian hackers to throw investigators off track

Russian Attackers Used Iranian Infrastructure and Tools Against Multiple Targets (Decipher) Investigations by the NSA and Uk’s NCSC found that the Russian Turla attack group was using compromised C2 infrastructure and tools belonging to an Iranian APT group in several operations.

Russian hackers have been mooching off existing OilRig infrastructure (CyberScoop) Russian-linked hackers known as the Turla group have been piggybacking on Iranian hackers’ tools and infrastructure for years now to run their own attacks, according to a joint announcement Monday from the National Security Agency and the U.K.’s National Cyber Security Centre.

A Brief History of Russian Hackers' Evolving False Flags (Wired) Most hackers know how to cover their tracks. But Russia’s elite groups are working at a whole other level.

Skip-2.0 malware provides 'magic password' to access MSSQL accounts (SC Media) Researchers today revealed their discovery of Skip-2.0, which they are calling the first publicly documented case of a backdoor targeting MSSQL Server.

Facebook Steps Up Security Amid Fresh Signs of Russia Meddling (SecurityWeek) Facebook said it was taking down more accounts for "inauthentic" activity and stepping up scrutiny of "state controlled" media seeking to manipulate American voters.

Facebook takedowns show new Russian activity targeted Biden, praised Trump (Washington Post) The company said Monday it disabled a network of accounts originating in Russia that posed at times as locals in swing states to post on divisive political issues and the upcoming presidential election.

Propaganda Works Better Than Censorship (Bloomberg) Comparing Hong Kong with Kashmir shows that manipulating social media is more effective than shutting it down.

WSJ News Exclusive | Islamic State Turns to Teen-Friendly TikTok, Adorning Posts With Pink Hearts (Wall Street Journal) Islamic State militants have been posting short propaganda videos to TikTok, the social network known for lighthearted content popular with teenagers.

Microsoft SQL Server 11 and 12 backdoor, accessible with 'magic password', linked to Chinese APT (Computing) ESET researchers attribute sophisticated MS SQL Server backdoor tool to China's Winnti Group, also known as APT17

Hackers steal secret crypto keys for NordVPN. Here’s what we know so far (Ars Technica) Breach happened 19 months ago. Popular VPN service is only disclosing it now.

TorGuard, NordVPN Respond to Breach Reports (SecurityWeek) TorGuard and NordVPN respond to reports that their systems were breached, and both blamed the incident on a third-party service provider.

Hackers Breach Avast Antivirus Network Through Insecure VPN Profile (BleepingComputer) Hackers accessed the internal network of Czech cybersecurity company Avast, likely aiming for a supply chain attack targeting CCleaner. Detected on September 25, intrusion attempts started since May 14.

Avast targeted in suspected new supply-chain attack (Computing) Avast reveals details of new attempted supply-chain attack just two years after CCleaner compromise

Avast: No plans to discontinue CCleaner following second hack in two years (ZDNet) Czech intelligence agency: "Data analysis suggests that the attack came from China."

Avast Hacked: Intruder Got Domain Admin Privileges. (Computer Business Review) Avast hacked: Temporary VPN profile without 2FA enabled used to escalate privileges in "extremely sophisticated" attack, cybersecurity company says.

Avast, NordVPN Breaches Tied to Phantom User Accounts (KrebsOnSecurity) Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that — while otherwise unrelated — shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password.

ATTK of the Pwns: Trend Micro's antivirus tools 'will run malware – if its filename is cmd.exe' (Register) Try not to save files to your Windows PC called cmd.exe or regedit.exe

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - Crescendo (McAfee Blogs) Episode 4: Crescendo This is the final installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab,

Report: Travel Reservations Platform Leaks US Government Personnel Data (vpnMentor) Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a breach in a database belonging to Autoclerk, a reservations

New Microsoft Phishing Campaign Targets Office365 Users (Heimdal Security Blog) Links to the phishing domains come from compromised accounts (including LinkedIn). How hackers combine tactics in an advanced threat.

Removing More Coordinated Inauthentic Behavior From Iran and Russia (Facebook Newsroom) We removed four separate networks of accounts, Pages and Groups for engaging in coordinated inauthentic behavior on Facebook and Instagram.

“Debug mode” in popular webdev tool exposes credentials for hundreds of websites, including Donald Trump’s (Comparitech) Donald Trump's campaign website and hundreds of others failed to disable debug mode in Laravel, a popular PHP framework, exposing secret credentials on the web.

Cyber-criminals are the new entrepreneurs in an age of the "feral" Internet of Things (diginomica) Cyber-security and the new entrepreneurs on the IoT

‘C’est moi’: Mitt Romney admits to running secret Twitter account under the alias ‘Pierre Delecto’ (Washington Post) As Pierre Delecto, Romney used the account to like critical tweets about the president while also occasionally defending himself against detractors.

Pitney Bowes Says Disruptions Caused by Ryuk Ransomware (SecurityWeek) Global shipping and ecommerce giant Pitney Bowes has blamed the recent security incident that caused some service disruptions on the Ryuk ransomware

Georgia County's Experience Shows Perils of Ransomware (SecurityWeek) Ransomware attacks have taken out computer systems at law enforcement agencies and local governments around the country, forcing them to revert to pen and paper for tasks typically done in an instant on computers.

Indiana Hospital System Notifying Patients After Data Breach (SecurityWeek) A northwestern Indiana hospital system is warning more than 68,000 patients that their personal information, including Social Security numbers and health records, may have been exposed during a data breach.

Korean politician claims Google Maps exposes 40% of country's military facilities (Telecompaper) Google Maps' satellite mode has fully exposed to the general public nearly 40 percent of sensitive military sites in South Korea, The Korea Times reports, citing Democratic Party of Korea lawmaker Park Kwang-on.

Security Patches, Mitigations, and Software Updates

Google Boosts Site Isolation in Chrome (SecurityWeek) Google has improved the Site Isolation feature in Chrome to help defend against more types of attacks.

Cyber Trends

SOSS X (Veracode) Veracode presents volume 10 of the State of Software Security (SOSS) report, our comprehensive review of application testing data.

KnowBe4 Finds Email Subject Lines Focused on Security-Minded End Users are Effective (KnowBe4) KnowBe4 Finds Email Subject Lines Focused on Security-Minded End Users are Effective

New report offers insights into phishing scammers' go-to tricks (Healthcare IT News) Email cyber attackers frequently use certain keywords in their subject lines, according to Proofpoint, and tend to send their salvos at certain advantageous times of day.

Data Leaks in the Medical Industry: A Worldwide Epidemic (WizCase) WizCase recently found database leaks from several different medical websites from around the world. The unsecured data includes prescriptions, medical ...

Marketplace

Huawei ban: Full timeline on how and why its phones are under fire (CNET) Here's a breakdown of the controversial Chinese telecom and phone maker's saga so far.

Five Months After Huawei Export Ban, U.S. Companies Are Confused (Bloomberg) U.S. tech companies still awaiting licenses to continue sales. Trump said he would look at Huawei after phase one deal signed.

CrowdStrike CEO surprised that cybersecurity firm was called out in Trump-Ukraine call (CNET) CrowdStrike investigated the 2016 hack of the Democratic National Committee.

Why Did the Market Strike Down CrowdStrike? (The Motley Fool) A great company just went on sale.

Trend Micro Acquires Cloud Conformity to Cement Its Position as the Global Leader in Cloud Security (BusinessWire) Trend Micro Incorporated (TYO: 4704; TSE: 4704), the global leader in cloud security, today announced it has acquired Cloud Conformity, an innovative

Trend Micro acquires Sydney-headquartered Cloud Conformity for US$70 million (CRN Australia) Taking aim at Palo Alto Networks.

Trend Micro Takes On Palo Alto Networks With Cloud Conformity Buy (CRN) Trend Micro aims to maintain its leadership position in cloud security over Palo Alto Networks through the $70 million purchase of cybersecurity startup Cloud Conformity.

Threat Intelligence Firm Flashpoint Raises $34 Million (SecurityWeek) Threat intelligence firm Flashpoint receives $34 million in investment and debt financing, which the company plans on using to accelerate growth.

Under New Ownership, DigiCert Expands into Verified Mark Certificates (SecurityWeek) Combining a Verified Mark Certificate and DMARC will allow organizations to add the marketing effect of their branded logo to phishing-proofed emails.

Forcepoint in a rush to make a channel difference (MicroscopeUK) Security player is turbo-charging its efforts to put structures in place to work with partners

WidePoint Receives $14.7 Million in Recent Contract Awards for Telecom Expense Management (TEM) and Mobility Managed Services (MMS) (West) WidePoint Corporation (NYSE American: WYY), the leading provider of Trusted Mobility Management (TM2) specializing in Telecommunications Lifecycle Management, Identity Management and Digital Billing & Analytics solutions, today announced that the company received approximately $14.7 million in recent contract awards for Telecom Expense Management (TEM) and Mobility Managed Services (MMS) during the third quarter of 2019.

Leidos Adds Automation Anywhere and Tanium to Its Partner Network (The Breeze) Leidos (NYSE: LDOS), a FORTUNE(®) 500 science and technology leader, today announced the addition of Automation Anywhere and Tanium into the Emerging Technology

SECUDE Joins Microsoft Intelligent Security Association (Yahoo) SECUDE, SAP partner and a leading data security provider specializing in security for SAP and CAD data, today announced that it has joined the Microsoft Intelligent Security Association. For SECUDE, the collaboration is a critical step forward on multiple fronts. The agreement permits SECUDE’s product

LogMeIn bolsters APAC channel team with new hires (CRN Australia) Yvette McEnearney and Mark Harvey hired to lead UC business.

Secureworks Welcomes Steve Hardy as Chief Marketing Officer (BusinessWire) Secureworks appoints Steve Hardy as Chief Marketing Officer

BioNovelus, Inc. Announces Patricia Frost to Join Advisory Board (West) BioNovelus, Inc. (OTC: ONOV) announces Patricia Frost has joined the Company’s Advisory Board. BioNovelus’ Advisory Board seats individual entrepreneurs and senior cyber security / information technology (IT) executives with business, government and technical expertise useful for assisting in identifying, integrating and growing acquired companies.

Products, Services, and Solutions

ZeroNorth and Raytheon Collaborate to Enhance Cybersecurity for Software and Infrastructure (ZeroNorth) ZeroNorth announced an agreement with Raytheon Company’s Intelligence, Information & Services business to support initiatives that will enhance cybersecurity for critical software & infrastructure.

Nok Nok Labs First to Provide FIDO-Based Authentication for Smart Watches (Nok Nok Labs) Strategic Analytics recently reported that global smart watch shipments grew an impressive 44 percent annually to reach 12 million units in the second quarter of 2019. Smart watch usage for applications beyond fitness has grown to include banking, productivity applications such as Slack, ecommerce such as Apple Pay, as well as home security applications such …

Pulse Secure Accelerates Enterprise Means to Achieve Zero Trust Security for Hybrid IT (Markets Insider) Pulse Secure, the leading provider of software defined Secure Access solutions, today announced that i...

XM Cyber Achieves SOC 2 Type II Certification (PR Newswire) XM Cyber, the multi-award-winning breach and attack simulation (BAS) leader, today announced that it has...

Bugcrowd Launches First Crowd-Driven Approach to Risk-Based Asset Discovery and Prioritization (Bugcrowd) Attack Surface Management enables security and IT teams to rapidly identify, prioritize, and secure previously unknown assets for ultimate defender’s advantage

Talkdesk supports Cognosante contact center operations for 2,400+ agents (Talkdesk) Talkdesk cloud cures on-premises condition for Cognosante to transform the healthcare system through technology solutions

Akamai Reaches New Milestone for Web Traffic Delivered (PR Newswire) Akamai (NASDAQ: AKAM), the intelligent edge platform for securing and delivering digital experiences, announced...

IT security firm Check Point launches products for SMEs as cyberattacks on small businesses grow (The Financial Express) Technology for MSMEs: Cyber attacks are among the key challenges faced by small businesses even as 48 per cent SMBs saw instances of a data breach in their businesses up from 46 per cent last year, a survey report by cybersecurity firm Kaspersky said recently.

Rackspace Selects Armor to Deliver Best-in-Class Security for Hybrid Cloud Environments (Markets Insider) Rackspace today announced that it has selected Armor, a top global provider of cloud security-as-a-service ...

Splunk Mission Control Takes Off, Supercharging the Security Operations Center (Splunk) Splunk Inc. announced new innovations across its Security Operations Suite to modernize and unify the Security Operations Center (SOC). Anchored by the newly launched Splunk® Mission Control, the Splunk Security Operations Suite makes it easier than ever for security analysts to turn data into doing by managing security across the entire threat lifecycle.

Banks withdraw fingerprint authentication support on Samsung Galaxy S10 smartphones (Computing) Samsung Galaxy S10 smartphone allows anyone to unlock devices when covered in third-party screen protectors.

Technologies, Techniques, and Standards

Managing legacy change: FBD Insurance CTO Enda Kyne on restoring IT control (Computing) 'We centralised everything internally and started to get the practices right, from requirements through to development standards'

How cybersecurity accelerates business growth (Help Net Security) It’s no secret that the cybersecurity industry has grown exponentially over more than a decade due to the proliferation of high-profile cybercrime.

‘The Golden 5 Minutes’: The Need For Speed In Information War (Breaking Defense) The Army wants to overhaul its Cyber Command to stamp out online disinformation before it goes viral. But there are risks.

STOP Ransomware Decryptor Released for 148 Variants (BleepingComputer) The release of Emsisoft's STOP Ransomware decryption service is a huge achievement and will be a life saver for both the victims and the helpers on BleepingComputer. It should be noted, though, that while this decryptor can help with the majority of STOP variants, anyone who was infected after August 2019 cannot be helped.

Design and Innovation

Microsoft announces Secured-core PCs to counter firmware attacks (VentureBeat) Microsoft has announced Secured-core PCs, a new initiative to combat threats specifically targeted at the firmware level and data stored in memory.

Facebook to add label to state-backed news sites in attempt to battle foreign election meddling (The Telegraph) Facebook will apply labels to news websites such as the Kremlin-backed broadcaster Russia Today in an attempt to prevent foreign interference in future elections.

Facebook steps up security amid fresh signs of Russia meddling (The Bull) Facebook said Monday it was tightening its security for the 2020 US elections, amid signs of fresh activity from Russia attacking Democratic presidential candidates, including Joe Biden. The leading social network said it was taking down more accounts for “inauthentic” activity and stepping up scrutiny of “state controlled” media seeking to manipulate American voters. As...

Research and Development

Naval Research Lab brainstorms plan to tackle AI’s data-centric challenges (Federal News Network) For all of DoD’s aspirational projects, AI tools tend not to fare well in situations where data is spare or not structured in a way that the algorithm can’t process.

IBM Says Google’s Quantum Leap Was a Quantum Flop (Wired) A paper from Google leaked last month claimed its researchers had achieved “quantum supremacy.” Now IBM says Google rigged the test.

Legislation, Policy and Regulation

Lawmakers continue to review draft law on cryptography (Xinhua) Chinese lawmakers on Monday continued to review the draft law on cryptography.

Will China’s revised cybersecurity rules put foreign firms at risk of losing secrets? (South China Morning Post) Beijing is putting in place new tools that make it ‘much more difficult for companies to keep their information private’, cybersecurity expert says.

China’s Cyberspace Watchdog Approves 309 More Blockchain Services (Cointelegraph) The Cyberspace Administration of China adds 309 more companies to its list of registered blockchain service providers.

Germany Chooses China Over the West (Foreign Policy) Berlin’s refusal to shut Huawei out of its 5G networks weakens Europe’s prospects of standing up to Beijing.

New Cybersecurity Bills Promote CISOs and Privacy (SecurityWeek) The Cybersecurity Disclosure Act of 2019 is a relatively small change of wording to the Cybersecurity Disclosure Act of 2017, but with potentially far-reaching effects.

Silicon Valley Lawmaker Proposes Cyber Training for Every Federal Employee (Nextgov.com) Rep. Ro Khanna plans to introduce a bill that would require feds to learn basic cyber hygiene, including how to securely navigate the internet of things.

Report: Management Alert - EPA Still Unable to Validate that Contractors Received Role-Based Training for Information Security Protection | US EPA (US EPA) Report #20-P-0007, October 21, 2019. The EPA has limited assurance that contractor personnel are maintaining skills needed to combat efforts to destroy, steal or hold for ransom the EPA's systems and sensitive information.

NSA Wants to Help Private Sector, Increase Focus on Commercial Products (ClearanceJobs) A new group within the NSA is reaching out to commercial tech providers with a message - 'we're here to help.'

Is intelligence "reform" a self-licking ice cream cone and compliance trap? (Reason.com) Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office

Litigation, Investigation, and Enforcement

Assange argues that U.S. charges against him are ‘political’ and a bar to his extradition (Washington Post) Lawyers told a London court that the charges against the WikiLeaks co-founder are part of a Trump administration war on whistleblowers.

Czech Police, Intelligence Bust Russian Spy Network (SecurityWeek) Czech police and intelligence services said on Monday they had busted a Russian espionage network operating through its Prague embassy.

Czech Intel Chief Says Russian Spy Network Was Meant For Cyberattacks (RadioFreeEurope/RadioLiberty) The head of the Czech counterintelligence service says a Russian espionage network that his agency dismantled last year was meant to be used for cyberattacks against the Czech Republic and its foreign allies.

‘State actor’ responsible for cyber attack likely to stay a secret (The Australian) A confidential report into a cyber attack on parliamentary systems in February by a “sophisticated state actor” is likely to remain secret, according to Senate president Scott Ryan.

Boeing’s Board Confronts Further 737 Max Scandal (New York Times) Company directors are meeting today after the revelation that a top pilot had warned about a flight system now suspected of a role in two fatal crashes.

EU contracts with Microsoft raising ‘serious’ data concerns, says watchdog (TechCrunch) Europe’s chief data protection watchdog has raised concerns over contractual arrangements between Microsoft and the European Union institutions which are making use of its software products and services. The European Data Protection Supervisor (EDPS) opened an enquiry into the contractual arr…

Commerce IG auditing Census Bureau’s cybersecurity ahead of 2020 count (Federal News Network) In today’s Federal Newscast, the Commerce Department’s inspector general is running an audit of the bureau’s cybersecurity measures.

Equifax used default 'admin' user name and password to secure hacked portal (Computing) Lawsuit claims that Equifax IT security was negligent and that the company made 'false and misleading statements' about its IT security and data protection compliance

Man sentenced for hacking LA court system (Washington Post) A man who hacked Los Angeles County court computers, sent 2 million malicious phishing emails and stole hundreds of credit card numbers has been sentenced in Los Angeles

More coordinated inauthenticity. Breaches reported at security firms. Notes from Atlanta.

Bring your own context.