The CyberWire Daily Briefing 2.26.19

Cyber Attacks, Threats, and Vulnerabilities

The hacker's paradise: Social networks net criminals $3bn a year in illicit profits (ZDNet) The reach, draw, and popularity of social networks is becoming big business for fraudsters.

The Dark Sides of Modern Cars: Hacking and Data Collection (Threatpost) How features such as infotainment and driver-assist can give others a leg up on car owners.

Most laptops vulnerable to attack via peripheral devices, say researchers (University of Cambridge) Many modern laptops and an increasing number of desktop computers are much more vulnerable to hacking through common plug-in devices than previously thought, according to new research.

Drupal RCE Flaw Exploited in Attacks Days After Patch | SecurityWeek.Com (SecurityWeek) The Drupal remote code execution vulnerability CVE-2019-6340 has been exploited in the wild to deliver cryptocurrency miners and other threats.

MWC 2019: Your bionic hand is now at risk from hackers (ZDNet) Infiltrating pacemakers is yesterday’s news. Advanced prosthetic limbs are now on the hit list.

Smart Homes at Risk Due to Unpatched Vulnerabilities, Weak Credentials (BleepingComputer) 40.8% of smart homes have at least one device vulnerable to remote attacks, a third of them being vulnerable because of outdated software with unpatched security issues, while more than two-thirds are exposed by weak credentials.

Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints (Register) Direct-to-memory attacks now account for 57 per cent of hacks, apparently.

Most IoT devices are being compromised by exploiting rudimentary vulnerabilities (Help Net Security) Cybercriminals are looking for ways to use trusted devices to gain control of IoT devices via password cracking and exploiting other vulnerabilities.

SG’s first line of defence to fight cyber attacks still lacks teeth (The Independent) Despite reliable infrastructure, technology and regulations in place, the human element is still the weak link when it comes to cyber security.

Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor (BleepingComputer) Researchers have discovered a malspam campaign that is distributing a a malicious RAR archive that may be the first one to exploit the newly discovered WinRAR ACE vulnerability to install malware on a computer.

Hacking group using Polyglot images to hide malvertsing attacks (DEVCON) What happens when an image is also JavaScript? And when that image does not even need a payload to extract the malware from the image... Well then you have a polyglot!

Malvertising attacks using polyglot images spotted in the wild (SC Media) The malvertising space may be seeing an influx of more advanced threat actors according one research report that found polyglot images now being used to disguise malvertising attacks.

Researchers discover use of malicious cyber tool to commit digital ad fraud (The Hill) A company focused on cybersecurity for the media industry says it has discovered that hackers are now using a technique designed to hide malicious code to commit digital ad fraud.

IoT Flaws Reveal Need to Work with Researchers (Infosecurity Magazine) McAfee researchers disclose two vulnerabilities in common IoT devices.

Social Engineering Employed to Steal Data (Infosecurity Magazine) One in three cyberattacks during Q4 2018 used social engineering tactics, says Positive Technologies.

Mozilla May Reject UAE Firm's Root Inclusion Request (SecurityWeek) Mozilla is considering rejecting a request by United Arab Emirates-based DarkMatter to be accepted as a top-level certificate authority in Mozilla’s root certificate program.

Cyber criminals cash in on millions with formjacking: ISTR (CISOMAG) Formjacking attacks are simple – essentially virtual ATM skimming – where cyber criminals inject malicious code into retailers’ websites to steal shoppers’ payment card details. On average, more than 4,800 unique websites are compromised with formjacking code every month globally.

Undisclosed number of TurboTax accounts breached (SC Media) Intuit, the company behind tax preparation software TurboTax, alerted users their accounts may have been accessed by an unauthorized party.

TurboTax hack: Intuit says there was no data breach, users are not at risk (Newsweek) TurboTax parent company Intuit said Monday it did not suffer a data breach that resulted in a third-party gaining access to the personal information of users.

China's tech giants are a security threat to the UK, says Brit spy bigwig (Register) Times are strange when spies talk about infosec and economics colliding.

Plain wrong: Millions of utility customers’ passwords stored in plain text (Ars Technica) "It's ridiculous vendors are replying to researchers via general counsel, not bug bounty."

Missile warning sent from hijacked Tampa mayor’s Twitter account (Naked Security) Tampa’s mayor was trying to regain control of his Twitter account this week after it was used to post bomb threats and child sex abuse images.

Renting out dedicated cloud server hardware? Don't just grin and bare it. Check your firmware is scrubbed of any spies (Register) Infosec bods spot IBM SoftLayer not wiping down BMC flash memory after use

Eclypsium Bare Metal Cloud Research (Eclypsium) What are bare-metal cloud services? Organizations increasingly deploy their most sensitive and critical applications on bare-metal cloud offerings. These services let organizations easily scale their applications up or down without the cost and challenges of buying and maintaining their own hardware. Using bare-metal ensures they have complete control over the hardware for performance needs of critical applications and that sensitive data is not stored on a machine shared by another cloud customer. It is a high-end cloud option for the most sensitive applications.

Vulnerability involving IBM Cloud Baseboard Management Controller (BMC) Firmware (IBM PSIRT Blog) Summary: The Baseboard Management Controller (BMC) is a third-party component designed to enable remote management of a server for initial provisioning, operating system reinstall and troubleshooting. As part of IBM Cloud’s Bare Metal Server offering, clients have access to the BMC.

Ransomware has been abandoned in favor of cryptojacking attacks against the enterprise (ZDNet) As company defenses improve, criminals are looking for ways to secure a return on their illicit schemes.

Security Patches, Mitigations, and Software Updates

Serious Flaws in WibuKey DRM Impact Siemens Products (SecurityWeek) Siemens informs customers that its SICAM process control system and SIMATIC WinCC HMI are affected by serious vulnerabilities in the WibuKey DRM.

Algorithm flaw meant Census responses could be identified (iTnews) Vulnerability already fixed by ABS.

Android adopts FIDO2 authentication standard as alternative to passwords (SC Media) The Android OS is now certified to employ the FIDO2 standard, a development that could help owners of over a billion Android devices phase out passwords.

Cyber Trends

What Yahoo's Failed Data Breach Settlement Means for Cybersecurity (Infosecurity Magazine) What does the legal state of Yahoo's breach settlement mean for the future of cybersecurity?

Healthcare industry: Key trends and cybersecurity challenges (Help Net Security) The number of breaches in 2018 was lower than that of the previous year. The total number of records breached has more than doubled since 2017.

New Report Shows 550 Percent Increase in Consumer Security Risks Connected to Apps (Security Today) McAfee's Mobile Threat Report found that reporting backdoors, malicious cryptomining, fake apps and banking Trojans all increased substantially in 2018.

Threatpost Data: Password Managers Are Worth the Risk (Threatpost) The Threatpost reader poll examined risk, vulnerabilities, 2FA, the human element, attitudes on spreadsheets and more when it comes to password managers.

Bitglass 2019 Healthcare Breach Report: Hacking and IT Incidents Account for Nearly Half of All Healthcare Data Breaches (GlobeNewswire News Room) Total Number of Records Exposed Reached 11.5 Million in 2018, More Than Twice That of 2017

UK Banks Reported 480% More Breaches in 2018 (Infosecurity Magazine) GDPR likely to have forced industry to be more transparent with FCA.

The Gap Between Mobile Apps and Privacy (BankInfoSecurity) Why are we surprised about the amount and sensitivity of data that mobile apps collect? The online industry has never been forthright about it. That's why we're faced with a yawning gap between user expectations and true privacy. And it's why Facebook, Google, Apple and others have many questions to answer.

Marketplace

Huawei: “The US security accusation of our 5G has no evidence. Nothing.” (TechCrunch) Huawei’s rotating chairman Guo Ping kicked off a keynote speech this morning at the world’s biggest mobile industry tradeshow with a wry joke. “There has never been more interest in Huawei,” he told delegates at Mobile World Congress. “We must be doing something right!…

Weak investment climate main 5G risk, not security fears: Ericsson CEO (iTnews) Europe risks falling behind because of onerous regulation rather security concerns.

Financial Data Exchange Adds 16 Members (PR Newswire) The Financial Data Exchange (FDX) welcomed 16 new members between October 18 and January 31, 2018, bringing the...

12 of the hottest startups at the RSA Conference 2019 (CSO Online) These RSAC Early Stage Expo startups bring fresh cybersecurity solutions to fight phishing, improve application security, provide better cloud protections, enforce security policy, more accurately authenticate and more.

AFP copping cyber skills shortage hard warns chief (iTnews) Specialists hard to find, harder to retain.

Cyber gushes from 2019 spending bill, if you know where to drill (Federal News Network) The fiscal 2019 spending bill increases funding for the continuous diagnostics and mitigation (CDM) program by more than $37 million.

Remediant Adds Security Veteran Tom Kellermann to Advisory Board (AP NEWS) Remediant, Inc. a leading provider of Privileged Access Management (PAM) software, today announced the appointment of Tom Kellermann to its advisory board.

Adams and Reese Expands its Privacy, Cybersecurity and Data Management Capabilities with Addition of David F. Katz in Atlanta (Adams and Reese LLP) Adams and Reese has expanded the capabilities and depth of its privacy, cybersecurity and data management practice with the addition of David F. Katz as a Partner in the firm’s Atlanta office.

Products, Services, and Solutions

OSSPatcher: Automated mobile application patching for bugs in open source libraries (Help Net Security) Researchers are working on OSSPatcher, a system for automatic patching of vulnerable open source libraries included in mobile applications.

Trustonic and Huawei introduce multi-TEE security platform for mobile app developers (Help Net Security) Trustonic expanding support to include Huawei’s TEE on its mobile application security platform, Trustonic Application Protection (TAP).

Synopsys' new platform enables comprehensive application security from developer to deployment (Help Net Security) Synopsys announced it will showcase its new Polaris Software Integrity Platform at RSA Conference in San Francisco, March 4–8, 2019.

PacketViper Announces Version 5.0 of its Cyber Deception Platform (Business Wire) PacketViper, a leading provider of cybersecurity deception solutions, today announced version 5.0 of their active, threat facing deception platform.

Kenna Security Wins 2019 Cybersecurity Excellence Award for Vulnerability Management (GlobeNewswire News Room) Kenna Security, a leader in predictive cyber risk, has won Gold in the 2019 Cybersecurity Excellence Awards.

Tabcorp uses data to spot suspicious gamblers and appease regulators (iTnews) Tabcorp is using intelligence software to monitor “high risk” - potentially criminal - users of its 9000 retail sites and gambling platforms to stay on the right side of licensing authorities.

NanoLock Collaborates with Micron to Offer Flash-to-Cloud Management Solution for Security of IoT Devices - nanolōck security ltd (NanLōck security ltd) NanoLock Management of Things Platform and Micron® Authenta™ Technology to Deliver Unified Approach for Securing Smart Cities, Automotive and Industrial Gateways Nitzanei Oz, Israel

Cato Fortifies Cloud-native Security Services with New Threat Prevention and Detection Engines (Cato Networks) Cato introduces zero-footprint Managed Threat Detection and Response (MDR) service, and integrates SentinelOne zero-day threat prevention to boost its seamless multi-layer network protection

Cyberbit Launches SCADAShield Mobile -- a Portable System for On-Site, On-Demand Visibility Into the Risk Posture of Industrial Control System Networks (PR Newswire) Cyberbit Ltd., today announced the official launch of SCADAShield Mobile, a portable unit for monitoring and...

Hex Five and wolfSSL Announce the First Secure IoT Stack for RISC-V (PRWeb) wolfSSL, a leading provider of TLS cryptography and Hex Five Security, provider of MultiZone™ Security, the first Trusted Execution Environment for RISC

Technologies, Techniques, and Standards

Vulnerability Scans Are a Lot Like Eating Mushrooms (Infosecurity Magazine) Vulnerability scanning is a security best practice dogged by compromises.

ASD upgrades Essential Eight cyber rules (iTnews) Govt cyber mitigation maturity model augmented as patch priorities shifted.

A Traveler's Guide to OPSEC (Decipher) Traveling can be a lot of fun, but it can also present myriad challenges when it comes to keeping your information and devices secure. A few simple steps and a little advance planning can go a long way to increasing your operational security.

Reverse Engineering is One of Your Best Weapons in the Fight Against Cyberattacks (Security Today) Reverse engineering is a powerful tool to keep in your cybersecurity tool belt.

Android Is Helping Kill Passwords on a Billion Devices (WIRED) By officially certifying the FIDO2 standard, the mobile OS will soon allow logins to sites and services without having to put in a password.

Bruce Schneier takes his pitch for public-interest security to RSAC (CSO Online) Bruce Schneier's new all-day track at the RSA Conference explores idea that security pros, like lawyers, should be expected to engage in a certain amount of pro bono work.

More password-less logins are coming to Android (TechCrunch) The FIDO Alliance and Google today announced that Android (from version 7.0 up) with the latest version of the Google Play Services is now FIDO2 certified. At first glance, that sounds rather boring, but it will enable developers to write apps that use a phone’s fingerprint scanner or a FIDO …

The Truth about Business Risk Intelligence (SecurityWeek) Starting a business risk intelligence (BRI) program often requires overcoming challenges that involve resource allocation, operational bandwidth, or stakeholder support, to name a few.

Why Many Organizations Still Don't Get Security (Government Technology) Despite a growing number of security incidents and headline data breaches, many security and technology professionals express the view that their government or company or nonprofit organization doesn't make cybersecurity a priority. Here's how you can help.

Research and Development

DARPA wants robots that humans will trust (C4ISRNET) To be useful, machines will need to understand their own status, and then communicate that plainly to the people around them.

Will AI give the Army a secure ‘Snapchat of information’? (C4ISRNET) Ted Maciuba, the deputy director of robotics requirements at the U.S. Army Maneuver Center of Excellence, discusses working with industry on machines that could give an outsized advantage to infantry.

IARPA to offer potential cure for employees’ ‘linkclickitis’ disease (Federal News Network) The Intelligence Advanced Research Projects Agency (IARPA) will release the details of its Virtuous User Environment (VirtUE) program that secures each employee role in separate cloud containers.

Academia

Stellenbosch University to host cyber warfare conference | IOL Business Report (Business Report) Stellenbosch University and the Council for Scientific and Industrial Research will host the International Conference on Cyber Warfare and Cyber Security.

W. Va. Partners with SANS to Bring Girls into Cyber (Infosecurity Magazine) West Virginia governor says the state has partnered with SANS Institute's Girls Go CyberStart.

Legislation, Policy and Regulation

Congress considers a national standard for data privacy (OODA Loop) This week, the US Congress will consider the establishment of nationwide data privacy rules. A Tuesday hearing of the Consumer Protection and Commerce Subcommittee, which is part of the House Energy and Commerce Committee, will be devoted to the issue, and on Wednesday it will be debated by the Senate Commerce, Science and Transportation Committee.

OAS’s Inter-American Defense Board pushes for better regional cyber collaboration (Jane's 360) Cyber defence is a growing issue in Latin American and the Caribbean, and the Inter-American Defense Board is hosting a cyber defence conference in Bogota in May that officials believe can help drive better regional collaboration and education for the domain.

Europe is prepared to rule over 5G cybersecurity (TechCrunch) The European Commission’s digital commissioner has warned the mobile industry to expect it to act over security concerns attached to Chinese network equipment makers. The Commission is considering a defacto ban on kit made by Chinese companies including Huawei in the face of security and espi…

California Introduces New Data Breach Notification Law (SecurityWeek) New California bill aims to close a loophole in the current data breach notification law by requiring organizations to notify users when passport or biometric information has been compromised.

Data Breach Notification: California Targets 'Loopholes' (BankInfoSecurity) Driven by Marriott's Starwood mega-breach, California lawmakers are pushing legislation that would expand the state's pioneering data breach notification

Labor to punish vendors for stealing govt tech talent (iTnews) The Australian Labor Party has flagged significant changes to government IT procurement rules that would see vendors punished for luring digital talent away from the public sector.

FastMail loses customers, faces calls to move over anti-encryption laws (iTnews) Australia no longer 'respects right to privacy'.

US legal eagle: Well done, you bought privacy compliance tools. Doesn't mean you comply with anything (Register) From California state regs to Europe's GDPR: It's all just a 'veneer of protection.'

Jeez, what a Huawei to go: Now US senators want Chinese kit ripped out of national leccy grid (Register) Red scare reaches new heights as intel committee urges further crackdown on network-connected gear.

The UK is a Global Cyber Power, says Director GCHQ - Speech (GCHQ) Jeremy Fleming, Director GCHQ, defined the rules and ethics of the cyber age during a keynote speech in Singapore. This is a full transcript of his speech, as delivered.

Tech industry titans suddenly love internet privacy rules. Wanna know why? We'll tell you (Register) Hint: It's something to do with a new California law

Apple and Facebook Fighting International Encryption Battle (WSJ) International governments are passing laws that allow authorities to pressure tech companies such as Apple and Facebook for access to digital secrets.

Litigation, Investigation, and Enforcement

Stolen Bitcoin returned to cryptocurrency exchange Bitfinex (iTnews) Fraction of lost amount handed back by US government.

Australia should name parliament cyber attackers (ZDNet) In the case of such a blatant attack on Australia's institutions of government, we should stand ready to point the finger and impose some real costs on the adversary.

Facebook tricked kids into in-game purchases, say privacy advocates (Naked Security) Unsealed court documents show that Facebook referred to big-spending kids as “whales” – a term borrowed from the casino industry.

United States of America v. Paul J. Manafort, Jr., Defendant (United States District Court for the District of Columbia) GOVERNMENT'S SENTENCING MEMORANDUM

Prosecutors Seek 3-Year Sentence in 'Celebgate' Hacking Case (SecurityWeek) Federal prosecutors have recommended a sentence of nearly three years in prison for a former Virginia high school teacher convicted of hacking into private digital accounts of celebrities and others.

Bare metal servers get reflashed. A USB port problem. No missiles for Tampa. Credential-stuffing taxpayers.