The CyberWire Daily Briefing 3.15.19

Cyber Attacks, Threats, and Vulnerabilities

Israel suspects Iran of hacking election frontrunner Gantz's phone: TV (Reuters) Israel's Shin Bet security service suspects Iran of hacking the mobile phon...

Protip: If you'd rather cyber-scoundrels didn't know the contents of your comp, don't apply for a Pakistani passport (Register) Compromised government website slurps buttload of data about applicants

As Russians protested ‘Internet isolation’ last weekend, hackers launched DNS attacks against Yandex, exploiting flaws in the government’s censorship system (Meduza) Several major Russian Internet companies, including Yandex and the news outlet RBC, suffered massive network attacks this week that were made possible by vulnerabilities in the system the federal government uses to block websites.

US Warns of Sophisticated Cyberattacks From Russia, China (SecurityWeek) Cyberattacks from Russia, China, North Korea and Iran are increasingly sophisticated and, until recently, were done with little concern for the consequences, the top Pentagon cyber leaders told a congressional committee.

Top Pentagon officials say Google work is 'benefiting the Chinese military' (TheHill) Top defense officials on Thursday blasted Google for its work in China, saying that the company’s efforts are serving the interests of the U.S. adversary.

Analysis | Is China’s cyberespionage a military game-changer? (Washington Post) There's no magical shortcut to catch up on the latest weapons tech.

Here’s how other nations measure up in electronic warfare (C4ISRNET) Other nations are seeking to deny U.S. forces the ability to communicate.

The Hunt: ISIS trying to reposition its messaging (WTOP) What’s ISIS’s message now that it has lost all of the territory it once held in Syria and Iraq? On this week’s edition of The Hunt with WTOP national security correspondent J.J. Green, an American…

Making it Rain - Cryptocurrency Mining Attacks in the Cloud (AT&T Alien Labs) By Chris Doman and Tom HegelOrganizations of all sizes have made considerable shifts to using cloud-based infrastructure for their day-to-day business operations. However, cloud security hasn't always kept up with cloud adoption, and that leaves security gaps that hackers are more than happy to take advantage of.One of the most widely observed objectives of attacking an organization's cloud infrastructure has been for cryptocurrency mining. Despite recent falls in cryptocurrency

A new rash of highly covert card-skimming malware infects ecommerce sites (Ars Technica) GMO sniffer infected Fila UK for 4 months. Six US sites remain compromised.

Payment data of thousands of customers of UK and US online stores could have been compromised (Group-IB) Group-IB, an international company that specializes in preventing cyberattacks, has uncovered a malicious code designed to steal customers’ payment data on seven online stores in the UK and the US. The injected code has been identified as a new JavaScript Sniffer (JS Sniffer), dubbed by Group-IB as GMO. Group-IB Threat Intelligence team first discovered the GMO JS Sniffer on the website of the international sporting goods company FILA UK, which could have led to the theft of payment details of at least 5,600 customers for the past 4 months.

Windows Security Warning: New Exploit Is Targeting Versions 8 to 10 (Forbes) Users encouraged to patch immediately after new vulnerability found by security firm Kaspersky used in targeted attacks by at least two threat actors

Proof-of-concept code published for Windows 7 zero-day (ZDNet) More details emerge about the two Windows zero-days that Microsoft patched this Tuesday.

Malicious Counter-Strike 1.6 servers used zero-days to infect users with malware (ZDNet) Dr.Web: 39 percent of all Counter-Strike 1.6 servers were malicious and tried to infect users with malware.

Belonard Trojan spread via zero days in Counter-Strike 1.6 (SC Media) Cybercriminals are exploiting zero day vulnerabilities in an old game Counter-Strike 1.6 to spread the Belonard Trojan.

Chinese e-commerce giant Gearbest leaks millions of records, researcher finds - CyberScoop (CyberScoop) An unsecured database has exposed records about millions of customer transactions from the Chinese e-commerce giant Gearbest, security researcher Noam Rotem has announced.

Beware of Bitcoin Investment Emails Pushing Clipboard Hijackers (BleepingComputer) A new malspam campaign is under that contains an attachment that when executed will install a Windows clipboard hijacker that attempts to steal Bitcoins from its victims.

Many Security Apps on Google Play Inefficient, Fake: Study (SecurityWeek) AV-Comparatives has analyzed 250 antimalware Android applications offered on Google Play and found that many either fail to detect threats or they are simply fake.

Most Antivirus Apps on Google Play Suck at Detecting Malware (PCMAG) The findings come from antivirus testing group AV-Comparatives, which tested 250 Android security apps to see how they performed against common malware strains. The reputable brands generally performed well, while the lesser-known ones fared poorly.

Fake DHL Urgent Delivery notice delivers Gandcrab 5.2 ransomware | My Online Security (My Online Security) Yet another Gandcrab ransomware campaign. This time spoofing DHL Express with a fake delivery notification email. This delivers Gandcrab 5.2 ransomware that currently does not have free decryption…

Ransomware's New Normal (Dark Reading) GandCrab's evolution underscores a shift in ransomware attack methods.

Cyber criminals increasingly favouring 'low and slow' stealth attacks (ComputerworldUK) A "low and slow" approach to financially driven cyber attacks has overtaken ransomware as the chief attack vector as criminals seek to extort money by stealth using crypto mining-based malware.

Report Shows Cryptojacking Is Prime Example of Shift Towards Discreet Cyberattacks (Cointelegraph) A recent report shows that cryptojacking is a prime example of cybercriminals’ shift to “low and slow” attack approaches.

Location-Aware Malware Targets Japanese and Korean Endpoints (Security Boulevard) New malware samples use location awareness to specifically target Japanese and Korean endpoints. The malware uses two techniques to determine the location in which it is being executed and ensures that the payload will only be triggered in these regions. This approach matches two trends: 1) docs performing regional checks in targeted attacks, and 2) The post Location-Aware Malware Targets Japanese and Korean Endpoints appeared first on Bromium.

Unsecured Database Exposed 33 Million Job Profiles in China (BleepingComputer) An unsecured database containing the resumes and personal information of approximately 33 million people seeking jobs in China has been exposed online.

LCDS - Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA ELS Files (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 7.8ATTENTION: Low skill level to exploitVendor: LCDS—Leão Consultoria e Desenvolvimento de Sistemas Ltda MEEquipment: LAquis SCADAVulnerability: Out-of-Bounds Write2. RISK EVALUATIONSuccessful exploitation of this vulnerability could allow remote code execution.

PEPPERL+FUCHS WirelessHART-Gateways (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 5.3ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are availableVendor: PEPPERL+FUCHSEquipment: WirelessHART-GatewaysVulnerability: Path Traversal2. RISK EVALUATIONSuccessful exploitation of this vulnerability could allow access to files and restricted directories stored on the device through the manipulation of file

Gemalto Sentinel UltraPro (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 6.5ATTENTION: Low skill level to exploitVendor: GemaltoEquipment: Sentinel UltraProVulnerability: Uncontrolled Search Path Element2. RISK EVALUATIONSuccessful exploitation of this vulnerability could allow execution of unauthorized code or commands.

Facebook claims server configuration change caused 14-hour outage to Facebook, Instagram and WhatsApp (Computing) BGP protocol shenanigans ruled out as Facebook admits outage was caused by its own engineers

Was The Facebook Outage A Cyber-Attack? (Forbes) Facebook and Instagram users were unable to access the service yesterday. So what happened?

‘Yelp for Conservatives’ Pulled From App Store Over Security Flaws (The Daily Beast) Security threat detected in app that helps people find Trump-friendly restaurants.

Kathmandu ‘urgently investigating’ cyber attack (My Business) Listed outdoors wear retailer Kathmandu has announced that it is “urgently investigating” a security breach that recently hit its trading websites.

Security Patches, Mitigations, and Software Updates

Code Execution Flaw Found in Sonatype Nexus Repository Manager (SecurityWeek) An unauthenticated remote code execution vulnerability has been found and patched in Sonatype’s Nexus Repository Manager, an open source development tool installed on over 150,000 servers.

Cisco Patches Critical ‘Default Password’ Bug (Threatpost) Vulnerability allows adversaries to access monitoring system used to gathering info on operating systems and hardware.

Default Account in Cisco CSPC Allows Unauthorized Access (SecurityWeek) Researcher discovers that Cisco’s CSPC product, which collects information from Cisco devices installed on a network, has a default account that can provide access to unauthorized users.

Cyber Trends

Unmasking War’s Changing Character (Modern War Institute) “Perhaps wars weren’t won anymore. Maybe they went on forever.” — Ernest Hemingway, A Farewell to Arms War used to be easy to define. Once, we could say with confidence whether we were at war or peace. If the former, we could identify with whom we were fighting and where the front was. Americans …

Mobile Security Index 2019 (Verizon) It’s been another headline-grabbing 12 months for cybersecurity.

Sentiment analysis — Quartz Obsession (Quartz) Sentiment analysis: How corporations are reading your mind

90% of consumers value additional security measures to verify mobile-based transactions (Help Net Security) Nine in ten consumers value additional security measures to verify mobile-based transactions before the transaction is completed.

Do people with malicious intent present the biggest threat to personal data? (Help Net Security) According to Apricorn's latest social media poll, sixty five percent of respondents believe that humans pose the biggest threat to their personal data.

Marketplace

Huawei CEO tries to deflect cybersecurity spotlight onto Ericsson and Cisco (Telecoms.com) It was just a matter of time before Huawei played the whataboutism card and Founder/CEO Ren Zhengfei couldn’t resist in a recent interview.

ZTE’s State Owner to Cut Its Stake (Wall Street Journal) The state-backed owner of China’s ZTE said it would sell up to 3% of the shares outstanding in the telecom giant, which is recovering from a bruising run-in with U.S. authorities last year.

ZTE says open to product testing by Indian govt to allay security concerns; to ramp up hiring (ETTelecom.com) Chinese telecom gear maker ZTE said that it is open to evaluation and testing of its products and solutions by any global authority, including the Ind..

Deloitte buys risk consultancy Converging Data Australia (Consultancy) Deloitte has acquired Sydney-based risk consultants Converging Data Australia, with its founder and team joining the Big Four firm’s Risk Advisory practice.

Octo Consulting Gets in on $2.5B Securities and Exchange Commission’s ONE IT Contract (WashingtonExec) Octo Consulting won a spot on the Securities and Exchange Commission’s ONE IT indefinite delivery-indefinite quantity vehicle, a 10-year $2.5 billion

Alphabet Cybersecurity Startup May Pressure Data Analytics Firms (Investor's Business Daily) The annual RSA conference is always a place for cybersecurity startups to make a splash as the industry focuses on new ways to thwart hacker and malware attacks.

For Cisco, the future of security is being shaped by software-defined networking (CSO) Cisco Live! 2019 emphasised the role of analytics, automation, and other software in building responsive security architectures

Carbon Black Painted Red, So We Committed Some Green (Seeking Alpha) Another quarterly beat but guidance just below expectations set this name up for a trade. We discuss our trade but note that upside remains as positive free cas

Two Top Facebook Executives Leaving Company (Wall Street Journal) Two Facebook Inc. senior executives said Thursday that they would leave the company—surprise departures that come days after CEO Mark Zuckerberg announced a major shift in direction for the company.

Products, Services, and Solutions

Juniper Networks unveils ‘connected’ security architecture (ARN) Juniper Networks has rolled out a new security architecture that will connect and operate with an enterprise customer's existing stack of products.

NS1 releases new solution to protect organizations and their customers from DNS attacks (Help Net Security) NS1 unveiled the Domain Security Suite designed to keep organizations and their customers safe from a growing number of DNS threats.

Forcepoint-Enabling Cybersecurity with Behavioural Analytics Solution (BFSI) Forcepoint delivers integrated behavior-based security solutions, that have been perfectly adapted to suit the industrial environment, specifically, products that provide more visibility into the potential threats, says Harshil Doshi, Strategic Security Solutions Head, Forcepoint.

Entrust Datacard's new guide provides actionable technical guidance for IoT stakeholders (Help Net Security) Entrust Datacard announced its contribution to the new Security Maturity Model (SMM) Practitioner’s Guide, published by the Industrial Internet Consortium.

TitanHQ Adds Sandboxing and DMARC Authentication to SpamTitan Email Security (PR Newswire) SpamTitan email security customers, both new and existing, got a pleasant surprise earlier this ...

Everbridge launches Crisis Management solution to help organizations manage critical events (Help Net Security) Everbridge launched a Crisis Management solution, to help organizations manage the lifecycle of a critical event and accelerate response and recovery times.

Darktrace Launches Antigena Cyber AI to Fight Back Against Cyber Threats in Seconds (IT Toolbox) Darktrace, the AI company for cyber defense, has announced new Antigena AI Response modules that fight back autonomously, no matter where a threat may emerge.Expanding beyond network response, the new modules include Cloud (AWS & Azure), Email (Office365), and SaaS applications. Whether faced with a social engineering campaign, compromised cloud...

Onapsis and Exabeam improve monitoring, threat detection, incident response and compliance (Help Net Security) Onapsis announced a technology alliance and product integration with Exabeam to give security teams access to ERP vulnerability logs in their SIEM.

BlueVoyant and IronNet Cybersecurity Form Partnership to Provide Cyber Collective Defense Capabilities to Energy Providers (PR Newswire) BlueVoyant and IronNet Cybersecurity today announced a partnership to deliver advanced, collective cyber defense and...

Technologies, Techniques, and Standards

5G Is Coming for Real, but It Will Cost You (WIRED) Verizon said it will introduce 5G wireless service in selected areas in Chicago and Minneapolis on April 11, for an additional $10 a month.

Data breach reports delayed as organizations struggle to achieve GDPR compliance - Help Net Security (Help Net Security) Businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the GDPR’s enactment.

The tug of war between infosec and the C-suite on cloud security (CIO Dive) "When it comes to cloud visibility, CIOs and CISOs can either be the problem or the solution," said FireMon's Tim Woods.

Protecting applications against DFA attacks (Help Net Security) There are several steps you can take to ensure that you are doing as much as possible to defend against DFA attacks. Learn more in this article from Arxan.

Thinking of threat intelligence as a contributing member of your security team (Help Net Security) Threat intelligence is widely considered as a significant asset for organizations, but implementation of this intelligence within security operations can

American Systems' Brian Neely: Defense Industry's Cyber Posture Must Address Emerging Threats (ExecutiveBiz) Brian Neely, chief information officer and chief information security officer for American Systems, said the company is looking forward to applying the crowdsourced security testing model to its third-party testing portfolio.

Design and Innovation

Is AI really intelligent or are its procedures just averagely successful? (Help Net Security) Learning algorithms appear to reach human capabilities, but it remains unclear whether the AI's decision making behavior is truly 'intelligent'.

Research and Development

DARPA Is Building a $10 Million, Open Source, Secure Voting System (Motherboard) The system will be fully open source and designed with newly developed secure hardware to make the system not only impervious to certain kinds of hacking, but also allow voters to verify that their votes were recorded accurately.

The quantum sea change: Navigating the impacts for cryptography (Help Net Security) Professionals in cybersecurity and cryptography (and even non-IT executives) are hearing about the coming threat from quantum computing. It’s reaching the

Academia

Cyber-Security Student Team Earns Regional Spot (University of Arkansas News) A U of A student cyber-defense team will return this month to the finals of an eight-school competition to see which university will emerge victorious at the end of a real-world cybersecurity gauntlet.

Legislation, Policy and Regulation

NATO Weighs Allegations that Huawei Poses Security Risk (Military.com) Stoltenberg says some of NATO's 29 allies are uneasy about the potential security challenges of working with Huawei.

In testimony, Shanahan underlines it’s ‘China, China, China’ (Defense News) The National Defense Strategy remains the Pentagon's focus under acting Defense Secretary Shanahan.

China approves foreign investment law, possible US olive branch (Yahoo News) China's rubber-stamp parliament approved a foreign investment law Friday that may serve as an olive branch in trade talks with the United States, but it received a lukewarm welcome from business groups. The legislation aims to address long-running grievances from foreign firms including stronger

Putin’s Game Plan in Ukraine (Foreign Affairs) Moscow aims to force concessions out of Kiev.

More success means less boundaries in cyberspace (Fifth Domain) The Department of Defense is being open about its belief that a digital advantage requires operating outside U.S. networks on a daily basis.

Cyber Command’s midterm election work included trips to Ukraine, Montenegro, and North Macedonia (CyberScoop) Cyber Command personnel visited Montenegro, North Macedonia, and Ukraine to collaborate on network defense ahead of the 2018 midterm elections.

U.S. Navy Review Finds Evidence of Widespread Chinese Hacking (The Maritime Executive) The U.S. Navys RD ecosystem is under cyber siege by hackers, according to a new internal review orde...

SECURITY: Pentagon to utilities: Uncle Sam wants you (E&E News) The U.S. military is recruiting electric utilities and grid operators as partners in an aggressive new strategy aimed at spotting and blocking hackers before they launch a cyberattack on energy infrastructure.

Cornyn, Baldwin, Crapo, Brown Bill Will Protect Rail and Bus Manufacturing from China Threat (United States Senator John Cornyn, Texas) China’s “Made in 2025” initiative targets dominance in rail and bus manufacturing.Bill prevents federal transit funds from being used to purchase Chinese rail and bus assets.

Congress at SXSW: Yes, we’re dumb about tech, and here’s what we should do (Ars Technica) Representatives use SXSW to advocate for tech-research funding, Cyber National Guard.

Google needs breaking up, says news chief (Naked Security) And Oracle accused Google of creating shadow profiles of even non-users. Theirs are just two of 85 responses to an Australian inquiry.

House Members Voice Support for NSA/CyberCom ‘Dual-Hat’ Command (Meritalk) Two members of the House Armed Services Committee said at a hearing on Wednesday they support continuation of the “dual-hat” command structure which finds Gen. Paul Nakasone heading both U.S. Cyber Command and the National Security Agency.

What DOD Plans To Do With $9.6 Billion in Cyber Funding (Nextgov.com) Defense Department cyber leaders explained the 2020 budget request and offered insight into how U.S. Cyber Command is using its new acquisition authority.

Should CYBERCOM be granted more acquisition funds? (Fifth Domain) Some congressional leaders are questioning Cyber Command's needs given it has yet to exhaust what has already been provided.

Army Cyber to Become an Information Warfare Command (SIGNAL Magazine) The shift reflects the importance of integrated capabilities, above and beyond cyber.

Task Force Echo mission and transition is critical to American cybersecurity (DVIDS) Col. Brian Vile, commander of the 780th Military Intelligence (MI) Brigade (Cyber), hosted a transition of authority (TOA) ceremony between two Army National Guard (ARNG) formations whereby one cyber battalion transitioned with another to continue the Task Force Echo cyberspace mission.

Litigation, Investigation, and Enforcement

Christchurch shooting: 49 dead in terror attack at two mosques – live updates (the Guardian) Three in custody over mass shootings that also left 20 people seriously injured

Terror attacks on two New Zealand mosques have left nearly 50 people dead (Quartz) After shootings at two separate mosques in Christchurch, police urged mosques to "close your doors until you hear from us again."

In overwhelmingly bipartisan vote, House calls for Mueller report to be made public (Washington Post) Republicans joined Democrats to back a resolution calling on the Justice Dept. to release the special counsel’s full report to Congress and the public.

Documents shed light on Russian hacking of Democratic Party leaders (Washington Post) The papers from a lawsuit against BuzzFeed include a forensic analysis by a former top official in the FBI’s cyber crime division.

BBC scores first interview with one of 13 ‘Russian trolls’ indicted by Robert Mueller last year (Meduza) It’s been more than a year since the U.S. Justice Department indicted 13 “Russian trolls” for interfering in America’s 2016 presidential election.

"Активный патриот": обвиняемый в США рассказал о "фабрике троллей" (BBC News Русская служба) Один из 13 россиян из "списка Мюллера", обвиняемых во вмешательстве в выборы в США, признался Би-би-си, что сотрудничал с "фабрикой троллей". Правда, Сергей Полозов утверждает, что не знал, чем она занимается.

Lindsey Graham calls for investigation into FBI, DOJ (WBIR) Senator Lindsey Graham wants a new special counsel to look into the handling of the Hillary Clinton email investigation.

Peter Strzok: Clinton, DOJ struck deal that blocked FBI access to Clinton Foundation emails on her private server (Washington Examiner) Fired FBI agent Peter Strzok told Congress last year that the agency "did not have access" to Clinton Foundation emails that were on Hillary Clinton's private server because of a consent agreement "negotiated between the Department of Justice attorneys and counsel for Clinton."

Lisa Page testimony means DOJ might want to re-open case against Hillary Clinton (Washington Examiner) Lock her up?

Intelligence Community Veterans Blast Mueller's 'Forensic-Free Findings' (Sputnik) The group has regularly published analysis of publicly available data on the hack, and been entirely ignored by the mainstream media every step of the way.

The Intercept Shuts Down Access to Snowden Trove (The Daily Beast) First Look Media, the company that owns the Intercept, also announced that it was laying off several of the researchers who had been charged with maintaining the documents.

U.S. Senators Want Transparency on Senate Cyberattacks (SecurityWeek) Two lawmakers believe the U.S. Senate should inform senators about successful hacker attacks against the organization’s systems.

London link in Lucknow hotel cyber attack - Times of India (The Times of India) The cybercell of Lucknow police believes the recent ransomware attack on a city hotel could have been made from London.

MtGox bitcoin founder gets suspended sentence (France 24) The high-flying creator of the MtGox bitcoin exchange received a suspended jail sentence of two and a half years after a Japanese court Friday found him guilty on charges of data manipulation.

Live-streamed terror in New Zealand. New JavaScript sniffer. China's National People's Congress gestures toward respecting IP.