The CyberWire Daily Briefing, 11.26.19

Cyber Attacks, Threats, and Vulnerabilities

Auditors Uncover Tens of Thousands of Critical Security Gaps At Energy Facilities (Nextgov.com) The review, which included locations operated by the National Nuclear Security Administration, revealed multiple cybersecurity weaknesses recurring year after year.

Ginp Android Banker Sets as Default SMS App, Steals All Text (BleepingComputer) A new strain of mobile banking trojan called Ginp has been constantly refined to collect login credentials and credit card details.

Some Fortinet products shipped with hardcoded encryption keys (ZDNet) It took Fortinet 18 months to fix the issue. Updates are now out.

FortiGuard Used Hardcoded Key, XOR to Encrypt Communications (BleepingComputer) Security researchers found that multiple security products from Fortinet use weak encryption and static keys to communicate with FortiGuard services in the cloud, such as AntiSpam, AntiVirus, and Web Filter.

Facebook and Twitter say hundreds of users accidentally gave improper access to personal data through third-party apps (CNBC) Facebook and Twitter announce that personal data of hundreds of users may have been improperly accessed after they used their accounts to log in to certain apps.

Warning over spike in attacks on exposed Docker platforms (Computing) Attackers have already scanned nearly 59,000 IP networks, claim researchers

Forget zero-days, the most dangerous vulnerabilities are decades old, says ethical hacker (Computing) Ethical hacker Holly Grace Williams on the blind spots that lead to companies being compromised

Exploit kits are slowly migrating toward fileless attacks (ZDNet) Three out of the nine exploit kits active today are using fileless attacks to infect victims.

Mystery blurs dump of over 1 billion people's personal data (Tech Explore) Two security sleuths last month discovered an enormous amount of data that was left exposed on a server. Data found on the server belonged to around 1.2 billion people.

Tech service provider for nursing homes a ransomware victim (Washington Post) Hackers have launched a ransomware attack against a Milwaukee-based company that provides technology services to more than 100 nursing homes nationwide

Hackers demand $14 million from nursing homes in ransomware attack (CBS News) Some facilities unable to access patient records, order drugs or pay employees after their computers were hijacked

Vulnerability Summary for the Week of November 18, 2019 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Cyber Trends

Cybercriminals targeting e-commerce website vulnerabilities this holiday season (Help Net Security) Expect unprecedented levels of online data theft this holiday season due to a lack of deployed client-side security measures.

The New Norm (Trend Micro) The year 2020 marks the transition to a new decade, and recent notable events and trends signify a similar changeover in the threat landscape.

Fingerprints - Access all areas - Using biometrics to make it genius (Fingerprints) We all have several things to open, access and unlock, multiple times daily. Buildings, devices, padlocks, vehicles, servers – the list goes on.

Over 38 Million Healthcare Records Exposed in Breaches Over 2019 (BleepingComputer) This October was the month with the largest number of data breaches formally reported by entities in the healthcare sector.

10 Predictions How AI Will Improve Cybersecurity In 2020 (Forbes) Capgemini predicts 63% of organizations are planning to deploy AI in 2020 to improve cybersecurity, with the most popular application being network security.

From afterthought to providence, cybersecurity’s journey has come full circle (SiliconANGLE) From afterthought to providence, cybersecurity’s journey has come full circle - SiliconANGLE

7 Big Ideas from Cybersecurity Leaders We've Interviewed | Bricata (Bricata) This post brings together powerful ideas from the interviews we've conducted with cybersecurity leaders for our Q&A series.

Marketplace

Cybersecurity Firm Buguroo Raises $11M to Build on Its Success in Europe and Latin America, Now Sets Its Sights on Global Expansion (PR Newswire) Madrid-based cybersecurity firm buguroo has secured $11 million in Series A funding to bring its Deep Learning based online fraud detection and...

Detectify raises additional €21M for its ethical hacker network (TechCrunch) Detectify, the Sweden-born cybersecurity startup that offers a website vulnerability scanner powered by the crowd, has raised €21 million in further funding. Leading the round is London-based VC firm Balderton Capital, with participation from existing investors Paua Ventures, Inventure and Insight …

Cymulate raises $15 million to expand its cloud-based security platform (VentureBeat) Cymulate today announced that it has raised $15 million in venture capital as the cybersecurity company seeks to expand its cloud-based platform.

Palo Alto Networks acquires Aporeto for cloud security (ZDNet) Meanwhile, Palo Alto reported Q1 results above expectations; Nutanix also reported solid Q1 results.

Dell to explore sale of RSA Security (TechCentral) Dell Technologies is exploring a sale of RSA Security, a cybersecurity business it hopes could fetch at least US$1-billion, including debt, according to people familiar with the matter.

Dell to Explore Sale of RSA Cybersecurity Unit (Bloomberg) Computer maker’s unit could fetch at least $1 billion in sale. Dell acquired RSA through its 2016 takeover of EMC Corp.

Proofpoint Completes the Acquisition of ObserveIT (Yahoo) Proofpoint, Inc., (PFPT), a leading cybersecurity and compliance company, today announced it has completed its acquisition of ObserveIT, the leading insider threat management platform. “More than 30% of all data breaches are the result of insider threats and only a people-centric approach to data security

Kape’s transformational acquisition (Investors Chronicle) An acquisition should prove to be a game changing deal for the cyber security software company

Jacobs further steps away from 'E&C' label as KeyW integration moves ahead (Washington Technology) By rebrand and recasting itself, Jacobs begins to tell investors a different story about the company with the acquisition of KeyW Corp. a critical piece of that new narrative.

Google Fires Four Workers, Including Staffer Tied to Protest (Bloomberg) Move comes after employee protests and union organizing. Tension has been rising between company management and staff.

Champagne, shotguns, and surveillance at spyware’s grand bazaar (MIT Technology Review) The world’s leading surveillance and spyware companies gathered in Paris to meet growing demand from governments around the world.

If We Could Share What NSO Really Does, Media Discourse Would Change, Says Exec (CTECH) Shiri Dolev, president and chief product officer of Israeli cyber surveillance company NSO, spoke Monday at Calcalist’s Mind the Tech conference in Tel Aviv

Zscaler Stock Is Surging Because the Company Is ‘Future-Proof’ (Barron's) Bank of America Merrill Lynch analyst Daniel Bartus raised his rating on the company to Buy from Neutral, with a new price target of $68, up from $65.

Cygilant Establishes Customer Advisory Board to Help Guide Long-Term Strategy and Future Security-as-a-Service Offerings (BusinessWire) Cygilant established a customer advisory board to guide the company’s future offerings and growth. First member is Will Semple of eBay.

Former DHS CIO Zangardi Joins Leidos (Defense Daily) Leidos on Monday said that John Zangardi, who resigned from the Department of Homeland Security in mid-November after two years as chief information office

CyberArk Names Matthew Cohen Chief Revenue Officer (BusinessWire) CyberArk, (NASDAQ: CYBR), the global leader in privileged access management, announced that Matthew Cohen will join CyberArk’s executive management te

Products, Services, and Solutions

Anitian Completes SOC 2 Type I Certification for Security Operations Services (Anitian) This rigorous audit validates Anitian as a trusted partner for cloud security operations

Coronet Partners with Coalition to Offer Combined Enterprise-Grade Cyb (PRWeb) Leader in small business cybersecurity Coronet today announced a cutting-edge partnership with Coalition, the leading cyber insurance provider for small an

Qualys Brings its Vulnerability Management Solution to the Next Level (Dark Reading) Introducing VMDR: Vulnerability Management, Detection, and Response. VMDR delivers a continuous cycle of protection from a single pane of glass with built-in orchestration workflows and real-time vulnerability detection to prioritize, remediate, and audit across hybrid IT environments.

ForgeRock Expands Relationship with Amazon Web Services (West) Support for AWS Resources with AWS Session Tags Designed to Further Streamline User Access

Tanium Announces Key Platform Enhancements to Help Customers Achieve Visibility, Management & Security Across Endpoints (Dark Reading) Unified endpoint management and security breaks down organizational silos and provides IT teams with unprecedented visibility and control of their environment.

Sonatype Fully Automates Container Security (Container Journal) Nexus Lifecycle delivers open API for best-in-class policy control for all container layers Fulton, MD, Nov. 25, 2019 (GLOBE NEWSWIRE) -- Sonatype,

Sumo Logic Expands Global Intelligence Service | Markets Insider (markets.businessinsider.com) Sumo Logic, a leader in continuous intelligence, today continues to follow-through with ...

SyncDog Enables Small Businesses by Easing New Hire Onboarding and Mobile Device Security (BusinessWire) SyncDog Inc., the leading Independent Software Vendor (ISV) for next generation mobile security and data loss prevention, provides unrivaled support f

Code42 Offers New Insider Risk Detection Capabilities to Help Security Teams Quickly Spot Data Theft When Employees Resign and Depart (BusinessWire) Code42 has advanced its data security solution with new capabilities designed to help companies defend against the rising tide of insider threats.

AlgoSec’s Network Security Management Solution Now on Cisco’s Global Price List (EIN) AlgoSec extends Cisco ACI’s policy-based automation to security devices in the Data Center

Technologies, Techniques, and Standards

Finland becomes the first European country to certify safe smart devices – new Cybersecurity label helps consumers buy safer products (Traficom) The Finnish Transport and Communications Agency Traficom has today launched a Cybersecurity label. The label guarantees to consumers that the labelled devices have basic information security features. The Cybersecurity label can be awarded to networking smart devices if the devices meet the certification criteria, which are based on EN 303 645. With the label, Traficom aims to raise consumer awareness of information security and the safe use of connected devices.

Reports of Pemex cyberattack has U.S. companies taking precautions (Houston Chronicle) American oil companies operating south of the border are stepping up their cybersecurity measures following reports of a ransomware attack that allegedly knocked out computers at Mexico's state-run oil company Petroleos Mexicanos, or Pemex.

CISA Releases “Cyber Essentials” to Assist Small Businesses Updated (The National Law Review) On November 6, 2019, the Department of Homeland Security (&ldquo;DHS&rdquo;), Cybersecurity & Infrastructure Security Agency ("CISA") released its Cyber Essentials guide.

Shop Safely (CISA) The holiday season is a prime time for hackers, scammers, and online thieves. While millions of Americans will be online looking for the best gifts and Cyber Monday deals, hackers will be looking to take advantage of unsuspecting shoppers by searching for weaknesses in their devices or internet connections or attempting to extract personal and financial information through fake websites or charities.

Huawei controversy shows US need for robust supply chain security strategy (C4ISRNET) As 5G implementation picks up, the U.S. government needs an established and repeatable process to mitigate supply chain security risks.

Increased Ransomware Attacks Affecting All Industries (JD Supra) Organizations across all industries, including government agencies, are facing a surge of ransomware attacks launched by cybercriminals. New types of...

Time to Warn Users About Black Friday & Cyber ... (National Cyber Security) Warn your employees to avoid the inevitable scams associated with these two “holidays,” or you risk compromising your company’s network.

These 4 Tips Will Make You Fluent in Cyber Risk (ZeroNorth) Understanding the Security Gap According to a recent report by the Advanced Cyber Security Center, 91% of organizations say their boards believe cybersecurity presents some level of business risk. However, 64% of those respondents also agreed the role of their company’s board in digital transformation initiatives is an early-stage or maturing partnership. These numbers highlight …

Ad-blocking companies block ‘unblockable’ tracker (Naked Security) Ad-blockers have figured out a way to block the unblockable – a pernicious tracker technique that hides advertising networks in plain sight.

Stop Throwing Spaghetti at the Wall (Infosecurity Magazine) The SOC Visibility Triad signifies a massive paradigm shift in cybersecurity

Activity around DOD's new cyber certification to heat up in early 2020 (Washington Technology) Activity around the Defense Department's new cybersecurity certification for contractors should heat up in early 2020 and expectations are that civilian requirements will begin to hit in 2021.

Research and Development

Cyberwarriors lack planning tools. That could change. (Fifth Domain) Cyberwarriors still don't have a robust cyber-planning tool that spans across all services and teams within U.S. Cyber Command. The Air Force and Strategic Capabilities Office is continuing DARPA's work to change that.

Academia

Major role possible for USC Aiken as Cyber Command brings opportunity to South Carolina (Aiken Standard) The establishment of the U.S. Army’s new Cyber Command headquarters at Fort Gordon and other related developments have created a “huge opportunity” for the entire Palmetto State, University of South

Legislation, Policy and Regulation

Tim Berners-Lee unveils global plan to save the web (The Guardian) Inventor of web calls on governments and firms to safeguard it from abuse and ensure it benefits humanity

The EU doesn’t have a sense of its disinformation problem — this report suggests the policy changes it can make (Nieman Lab) "In the long run, it is unsustainable for public authorities and private companies to be allowed to mark their own homework in such an important area with no independent oversight."

China issues directive to 'intensify' protections around intellectual property rights (TheHill) The Chinese government on Sunday announced it was “intensifying” intellectual property rights protections, as Washington and Beijing struggle to reach a trade deal due in part to disagreements over IP issues.

The EU says security is not the only concern when it comes to 5G (CNBC) European governments should consider the wider consequences of handing out contracts to 5G suppliers, according to an EU document seen by CNBC.

Analysis | The Cybersecurity 202: U.S. officials fret about hacking by a new generation of nations (Washington Post) Vietnam, Qatar and others are entering a field once dominated by Russia and China

With U.S. cyber policy, clear lanes still hard to come by (FCW) The elevation of CISA and maturation of Cyber Command have clarified 'big picture' responsibilities for the U.S. government's cyber mission, but private-sector coordination remains a question mark.

Ohio gears up cyber-soldiers for virtual defense tactics in 2020 (Crain's Cleveland Business) From Bloomberg: Cyberattacks in Ohio have disrupted airport flight displays, led to the shutdown of a help line during a winter storm and cut off access to police investigation reports temporarily. The Buckeye State is fighting back.

Litigation, Investigation, and Enforcement

European police attack Islamic State's online presence (Reuters) European police agencies have knocked out several internet servers used by Islam...

First target of Singapore’s ‘fake news’ law is Facebook post that alleged a failed state investment in Salt Bae (Washington Post) The government says the post by the opposition lawmaker inaccurately described how state investors work.

Apple Settles Allegations of U.S. Sanctions Violations (Wall Street Journal) The technology giant allegedly violated U.S. sanctions by hosting, selling and facilitating the transfer of software applications from a Slovenian software company that was previously blacklisted by the U.S., according to the Office of Foreign Assets Control

OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud (Naked Security) A lawyer who boasted of making “50 by 50” – as in, $50m by the age of 50 – is now facing a potential 50+ years behind bars.

Retired colonels bribed active-duty officers, paid military spouse $1.2 million for ‘no-show’ job, to win IT contracts (Army Times) A retired colonel has pleaded guilty in a $20 million bribery scheme.

Who Leaked ‘Sword And Shield’ Secrets? Pokémon Lawyers Want To Catch ’Em All (Forbes) Pokémon lawyers blame four Discord users for leaking Sword and Shied game secrets before launch. They now want Discord and 4Chan to help identify them.

Five Years Later, Who Really Hacked Sony? (The Hollywood Reporter) The massive cyberattack just before Thanksgiving 2014 crippled a studio, embarrassed executives and reshaped Hollywood. The FBI blamed a North Korea scheme to retaliate for the comedy 'The Interview,’ but many whose lives were upended have doubts. Says Seth Rogen: "The fact that [co-director Evan Goldberg and I] were never really specifically targeted always raised suspicions in my head."

Perspective | Trump’s conspiracy theory about ‘the server’ threatens election security (Washington Post) The president has gone to bizarre lengths to ascertain the whereabouts of a computer that effectively doesn't exist.

Bring your own context.