The CyberWire Daily Briefing 4.10.19

Cyber Attacks, Threats, and Vulnerabilities

Mysterious Hackers Hid Their Swiss Army Spyware for 5 Years (WIRED) The TajMahal spyware includes more than 80 distinct spy tools, and went undetected for five years.

Leap in Cyber Attacks Against Elections in OECD Countries: Canada (SecurityWeek) Cyber attackers targeted half the member states of the Organization for Economic Cooperation and Development that held national elections in 2018, the agency that monitors Canada's telecoms networks said.

A powerful hacker group behind the Triton malware strikes again (TechCrunch) A highly capable hacker group reportedly behind in a failed plot to blow up a Saudi petrochemical plant has now been found in a second facility. FireEye researchers said it found traces of the so-called Triton group in another unnamed “critical infrastructure” facility. The group’…

Mysterious safety-tampering malware infects a second critical infrastructure site (Ars Technica) Use of game-changing Triton malware to target safety systems isn't an isolated incident.

FireEye says it is responding to a second Triton intrusion (CyberScoop) Cybersecurity company FireEye on Wednesday said it was responding to a second intrusion at a critical infrastructure facility carried out by the group behind Triton, the notorious malware that targets safety systems at industrial plants. To raise awareness about the group, known as Xenotime or TEMP.Veles, FireEye also released details on new customized tools the company’s incident responders had found at the unnamed facility. “[W]e believe there is a good chance the threat actor was or is present in other target networks,” FireEye researchers said in a blog post.

TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping « TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping (FireEye) FireEye uncovered and is responding to an additional intrusion by the attacker behind TRITON.

iOS Version of Exodus Spyware Discovered in an Escalating Italian Spy Scandal (SecurityWeek) Mobile security firm Lookout has discovered and described iOS versions of the "Exodus" spyware with links to Italian government agencies.

Researchers find phishing sites distributing the iOS version of Exodus Android spyware (Computing) Exodus is thought to be linked to eSurv, a business unit of Connexxa - currently under investigation by Italian authorities

TajMahal spyware framework with a sophisticated, previously unseen code base discovered by researchers (Computing) The TajMahal APT framework has been active for at least the past five years

New Mirai Variant Targets More Processor Architectures (SecurityWeek) A recently discovered variant of the Mirai malware is targeting a wider range of IoT devices than before.

189 Australian financial services orgs under attack by SMS-borne malware (CRN Australia) 'Gustuff' malware includes fake logon screens and local targeting mechanisms.

Gustuff banking botnet targets Australia (Cisco Talos) A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

New Module Suggests Fourth Team Involved in Stuxnet Development (SecurityWeek) Researchers at Alphabet’s Chronicle discover Stuxshop, a component that suggests a fourth group was involved in the early development of the notorious Stuxnet malware.

Duqu Remained Active After Operations Were Exposed in 2011 (SecurityWeek) The discovery of Duqu 1.5 shows that the threat actor behind the malware did not go dark, as previously believed, after their operations were exposed in 2011.

New Version of Flame Malware Platform Discovered (SecurityWeek) The Flame platform was believed dead following public exposure in 2012, but recently discovered evidence suggests that it remained alive, albeit very well hidden, security researchers at Alphabet-owned Chronicle reveal.

Phishing Scheme Uses Legit Signup Forms to Steal Payment Card Data (BleepingComputer) Newsletter sign-up forms from the websites of international companies have been used by malicious actors to camouflage phishing e-mails as official newsletter subscription messages.

Malware Debugs Itself to Prevent Analysis (Security Boulevard) We recently encountered a piece of malware via a tweet, which caught our eye because it appeared to be searching for folders related to our product. During analysis we discovered that this malware employs a novel technique to prevent reverse engineering via a debugger, and we felt that it was worth writing about, in case The post Malware Debugs Itself to Prevent Analysis appeared first on Bromium.

New Vulnerabilities in Verizon Routers Expose Millions of Consumers, According to Tenable Research (Tenable®) Threat actors could gain complete control of home routers and access to network traffic without needing physical access to the device Tenable®, Inc., the Cyber Exposure company, today announced that its research team has discovered multiple vulnerabilities in Verizon Fios Quantum Gateway routers. If exploited, the vulnerabilities would give an attacker complete control over the router and visibility into everything connected to it. Millions of these devices are currently in use in U.S. homes.

Verizon Fios Router Authenticated Command Injection (Medium) Rooting the Verizon Fios Quantum Gateway

WIBU SYSTEMS AG WibuKey Digital Rights Management (Update C) (ICS-CERT) CVSS v3 10.0 ATTENTION: Exploitable remotely/low skill level to exploit/public exploits available Vendor: WIBU-SYSTEMS AG Equipment: WibuKey Digital Rights Management (DRM)

Siemens Industrial Products with OPC UA (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 7.5ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: SIMATIC, SINEC-NMS, SINEMA, SINEMURIK Industrial Control Products with OPC UAVulnerability: Uncaught Exception2. RISK EVALUATIONSuccessful exploitation of this vulnerability could cause a denial-of-service condition on the affected service or device.

Siemens Spectrum Power 4.7 (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 10.0ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: Spectrum Power 4.7Vulnerability: Command Injection2. RISK EVALUATIONSuccessful exploitation of this vulnerability in versions of Spectrum Power 4 using the user-specific project enhancement (PE) Web Office Portal (WOP) are affected by an OS command injection

Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products (Update F) (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 6.8ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available.Vendor: SiemensEquipment: SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS ProductsVulnerabilities: Security Features2.

Siemens CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 7.5ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIMVulnerability: Out-of-bounds Read2. RISK EVALUATIONSuccessful exploitation of this vulnerability could result in a denial-of-service condition leading to a restart of the webserver.

Siemens SIMOCODE pro V EIP (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 7.5ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: SIMOCODE pro V EIPVulnerability: Uncontrolled Resource Consumption2. RISK EVALUATIONSuccessful exploitation of this vulnerability could cause a denial-of-service condition.

Siemens OpenSSL Vulnerability in Industrial Products (Update E) (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 5.9ATTENTION: Exploitable remotelyVendor: SiemensEquipment: Industrial ProductsVulnerability: Cleartext Transmission of Sensitive Information2. UPDATE INFORMATIONThis updated advisory is a follow-up to the updated advisory titled ICSA-18-226-02 Siemens OpenSSL Vulnerability in Industrial Products (Update D) that was published February 12, 2019, on

Siemens SINEMA Remote Connect (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 8.3ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: SINEMA Remote Connect (Client and Server)Vulnerabilities: Incorrect Calculation of Buffer Size, Out-of-bounds Read, Stack-based Buffer Overflow, Improper Handling of Insufficient Permissions2.

Siemens RUGGEDCOM ROX II (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 9.8ATTENTION: Exploitable remotely/low skill level to exploitVendor: SiemensEquipment: RUGGEDCOM ROX IIVulnerabilities: Double Free, Out-of-bounds Read, Uncontrolled Resource Consumption2. RISK EVALUATIONSuccessful exploitation of these vulnerabilities could result in remote code execution and/or a denial-of-service condition.

Meet Baldr: The Inside Scoop on a New Stealer (Dark Reading) Baldr first appeared in January and has since evolved to version 2.2 as attackers aim to build a long-lasting threat.

Attacks Against IoT Devices Through APIs & How to Prevent Them (Security Boulevard) You would never leave the keys to your building lying around, so why do so many organizations leave the keys to their business exposed?

Hackers attacked California DMV voter registration system marred by bugs, glitches (Los Angeles Times) Programmers warned that the 2018 launch of California's "motor voter" system could be a debacle, but state officials rolled it out anyway, according to interviews and an exclusive Times review of documents. The launch occurred even after engineers detected signs of an international hacking attempt.

A New Breed of ATM Hackers Gets in Through a Bank’s Network (WIRED) Innovations in digital payment system attack methods mean the rash of heists isn’t over.

Hacker unlocks Samsung S10 with 3D-printed fingerprint (Naked Security) According to a video posted on the Imgur site Friday, it’s possible to bypass the biometrics on the new Galaxy S10 range using a 3D-printed fingerprint in minutes.

Knock and don’t run: the tale of the relentless hackerbots (Naked Security) If you have an IoT device in your home, you could be receiving an average of 13 login attempts to these devices per minute, according to Matt Boddy’s latest research.

Cryptominers Still Top Threat In March Despite Coinhive Demise (BleepingComputer) Although Coinhive shut down and its cryptominer dropped down on the sixth place in Check Point's latest Global Threat Index, coinminers continue to lead the pack with Cryptoloot, XMRig, and Jsecoin taking the first, third, and fifth place.

Coinhive stops digging, but cryptomining still dominates (Help Net Security) While cryptomining services such as Coinhive have closed down, cryptominers are still the most prevalent malware aimed at organizations globally,

The 'Hush-Hush' iPhone (OxGadgets) Ask just about anyone who uses an Apple product and they will tell you that it is basically impenetrable. Whether it is an iPhone or a MacBook Pro laptop, most consumers rightly believe that their Apple device has a very low probability of getting ‘infected’.

Security Patches, Mitigations, and Software Updates

April’s Patch Tuesday Fixes Two Vulnerabilities Being Exploited in the Wild (TrendLabs Security Intelligence Blog) Microsoft’s April security update includes fixes for 74 CVEs, including two vulnerabilities that are actively exploited in the wild. Of the vulnerabilities patched in this update, 13 are rated Critical and 61 are rated Important.

Microsoft Patches Windows Privilege Escalation Flaws Exploited in Attacks (SecurityWeek) Microsoft fixes over 70 vulnerabilities with April 2019 Patch Tuesday updates, including two Windows zero-days that allow privilege escalation.

Adobe Patches 43 Flaws Across Eight Products (SecurityWeek) Adobe patches over 40 vulnerabilities affecting its Acrobat and Reader, Flash Player, Shockwave Player, Dreamweaver, XD, InDesign, Experience Manager Forms, and Bridge CC products.

Verizon Patches Vulnerabilities Affecting Millions of Routers (SecurityWeek) Verizon patches a potentially serious command injection vulnerability affecting its Fios Quantum Gateway routers, but exploitation is not straightforward.

Chrome, Safari and Opera criticised for removing privacy setting (Naked Security) Forthcoming versions of the Chrome, Apple Safari and Opera are in the process of removing the ability to disable a long-ignored tracking feature called hyperlink auditing pings.

Cyber Trends

BakerHostetler's 5th Annual Data Security Incident Response Report Highlights Collision of Privacy, Cybersecurity and Compliance; Details Efforts to Minimize Risk (PR Newswire) BakerHostetler's privacy and data protection team released its 2019 Data Security Incident Response Report, which...

2019 Protiviti and Shared Assessments Survey Finds Board Involvement a Key Indicator of Vendor Risk Management Maturity; Most Organizations Will Drop Vendors to De-Risk (PR Newswire) Global consulting firm Protiviti and the Shared Assessments Program, the member-driven...

New Research Reveals that One Quarter of Phishing Emails Bypass Office 365 Security (West) Analysis of over 55.5 Million Emails by Enterprise Cloud-Native Security Firm Avanan Provides a Stark Picture of Threat Landscape

Cyberattacks Increasing as Ransomware Demands Soar Says BakerHostetler Report (Legaltech News) The Data Security Incident Response Report from BakerHostetler details the more than 750 incidents the law firm worked on in 2018, compared to 200 in 2014.

2019 Vendor Risk Management Survey (Protiviti) The Shared Assessments Program and Protiviti examine the maturity of vendor risk management - based on the comprehensive VRMMM. Key findings include:

2019 Global Phish Report (Avanan) To create the 2019 Global Phish Report, Avanan security scientists analyzed 55.5 million emails to surface key insights on how hackers target Office 365 and Gmail.

Marketplace

Understanding the Concept of Cyber Insurance (Outlook India) Whether you are individual or a corporate, a cyber insurance can be of immense help.

Senior Obama Cyber Official Lobbying for China (Washington Free Beacon) China's government-linked telecommunications giant Huawei Technologies has hired a senior Obama administration cyber security official as a lobbyist.

Cyber risk considerations during the M&A process (Financial Director) Cyber risk has been an often-overlooked element during merger transactions, says Jake Olcott, VP of government affairs at consultancy BitSight.

CIA Considering Cloud Contract Worth ‘Tens of Billions’ (Nextgov.com) The agency is hungry for more commercial cloud.

The Private Sector is Trying to Bring More Cyber Experts to Government (Nextgov) Mastercard, Microsoft, Workday and the Partnership for Public Service launched an initiative that would place highly qualified grads in cyber jobs at federal agencies.

Analysis | The Cybersecurity 202: There are even fewer women in U.S. government cybersecurity than there are globally (Washington Post) But the data is fuzzy -- and that's a problem for increasing diversity in the male-dominated field.

Private equity firm STG takes 70 percent stake in cybersecurity... (Reuters) Private equity firm Symphony Technology Group said on Tuesday it has taken 70 pe...

PasswordPing Enters a New Era as Enzoic (PR Newswire) PasswordPing, an innovative credential screening and cybersecurity company, formally announced today that it has ...

Hacker-for-Hire Accused of Aiding Saudis Is Worrying Wall Street (Bloomberg) Lenders demand premium to fund management buyout of NSO Group. Israeli firm’s software allegedly used to target dissidents

Taking a Shot on the Long Side with Cybersecurity Firm Varonis Systems (RealMoney) Like many other cyber-related companies, VRNS stock has experienced hiccups.

Microsoft joins forces with HackerOne to boost bug bounties (IT PRO) Security researchers will be able to get their hands on the money before they're fixed

UKFast founder Lawrence Jones issues cybersecurity warcry (CRN) 'UK cybersecurity market no longer dominated only by NCC', Jones claims as he takes 13.3 per cent stake in Shearwater as part of cybersecurity deal

Security Industry Association Announces 2019 Executive Committee, Welcomes New Members to the Board of Directors (PRWeb) The Security Industry Association (SIA) announced its 2019 executive committee and welcomed five new members to the SIA Board of Directors at The Advance, SIA’s a

Products, Services, and Solutions

Bandura Cyber Launches Strategic Channel Partner Program to Support Global Demand for Automated, Threat-Intelligence Driven Network Security (BusinessWire) Bandura Cyber announced today the launch of its global channel partner program.

Bitdefender Broadens Services Play with New Threat Intelligence Services (Bitdefender) New services deliver company’s top-rated security data and expertise directly to businesses and SOC teams.

Hyundai to Demonstrate Digital Car Key Secured by Trustonic Application Protection at the New York Auto Show (Trustonic) Mobile device and application security technology company Trustonic announced today that Hyundai Motor America will demonstrate its new Digital Key app, secured by Trustonic Application Protection, at the New York International Auto Show 2019. The Digital Key will launch with the all-new 2020 Hyundai Sonata in the fall.

CipherTechs Partners with Cymulate to Bring Breach and Attack Simulation Platform to U.S. Customers (PR Newswire) Cybersecurity company CipherTechs today announced a new partnership with Israel-based Cymulate that will bring...

Sqreen Launches SaaS App Security Platform (Tech) Sqreen, a cybersecurity start-up founded by Apple security veterans, has attracted $14 million in a Series A funding round that will support the rollout of its first-of-a-kind platform to protect web applications from attacks.With the launch of its Application Security Management platform, Sqreen aims to help developers and security teams gain...

UK councils team up to boost cyber security (ComputerWeekly) Three UK councils and data analysis firm Splunk have teamed up to improve cyber defence capabilities and maintain their security systems

Tested and Proven by SE Labs Threat Prevention Evaluation Test: Deep Instinct Prevents Today’s Most Sophisticated File-based and File-less Attacks (BusinessWire) According to the latest test results from SE Labs’ independent threat prevention evaluation lab, Deep Instinct’s D-Client (v2.2.1.5) achieved a 100% p

Technologies, Techniques, and Standards

When Cyber Attack Hit Norsk Hydro, It Was Already Handling a Major Upheaval: RMS (Insurance Journal) When Norsk Hydro, one of the world's largest aluminum producers, was hit by a major cyber attack in the early hours of March 19, it was already undergoing

New Space ISAC plans to elevate the industry's awareness of cyberthreats (CyberScoop) At a time when corporations are planning to blanket the heavens with high-tech hardware, the space industry is responding with the creation of an information sharing and analysis center — a nonprofit organization that helps to track cyberthreats for member companies and related government agencies. The Space Information Sharing and Analysis Center (S-ISAC) will be housed in Colorado Springs, Colorado, within the National Cybersecurity Center, itself a nonprofit, nongovernmental organization created to improve awareness about securing cyberspace.

New Technical Note Helps Prioritize Cyber Resilience Review Results into Improvement Plan (Software Engineering Institute) This publication provides a template for addressing service continuity management (SCM) and explains how to use Cyber Resilience Review results to prioritize SCM-specific and supporting practices.

Considerations for Planning, Structuring and Deploying a New Network Security Strategy (Bricata) Planning and deploying a new network security strategy should involve many departments across the business and multiple steps. Here are considerations for rolling out a new strategy seamlessly.

What is a Threat Intelligence Platform? (SC Media) Threat actors are constantly evolving and advancing their attacks. Organizations seek to gain context on these attacks by leveraging threat intelligence,

How threat intelligence sharing can improve the security posture of whole industries (CSO Online) UBS and industry peers conduct joint cyber war games to improve security posture and incident response of the whole sector.

Design and Innovation

Stop Mocking & Start Enabling Emerging Technologies (Dark Reading) Mocking new technology isn't productive and can lead to career disadvantage.

The Challenge of Securing Cryptocurrencies (GovInfo Security) Cryptocurrency exchanges have been notable targets for fraudsters, says Ondrej Krehel of LIFARS, who describes their vulnerabilities.. GovInfoSecurity

Nothing personal: Zero Trust meant to stop cyber breaches before they start (Federal News Network) Analyst Chase Cunningham said the concept of zero trust means removing the potential for someone to be the person who causes a cybersecurity failure.

Research and Development

Quantum device developed able to represent multiple futures in simultaneous quantum superposition (Computing) The initial prototype can represent up to 16 simultaneous futures

Academia

State officials woo students in UA's cybersecurity program (Akron Beacon Journal) Ohio Cyber Range warriors at the University of Akron got a pep talk and a recruitment pitch Tuesday from two of the state’s highest cyber officials.

Legislation, Policy and Regulation

Canadian military needs more rules around spying operations: watchdog (Global News) A national-security watchdog is calling for stricter controls on the Canadian military's spying.

Opinion: Canada’s federal election could be under attack. Are we prepared? (The Globe and Mail) Foreign interference will be a serious federal-election issue for the first time, and a CSE report suggests we have a long way to go

Cyber Warfare In The Grey Zone: Wake Up, Washington (Breaking Defense) The entire US government — not just the Pentagon — needs to wake up to the intertwined threats of cyber warfare and political subversion, Army and National Security Agency officials say. It’ll take a major cultural change to get the whole of government to compete effectively in the grey zone between peace and war.

Hungary sees Huawei as strategic partner despite security concerns (Reuters) Hungary regards China's Huawei Technologies as a strategic IT partner, the ...

US tries to freeze Huawei, ZTE out of Europe (TechCentral) The US is urging allies to ban networking products from countries without independent court systems, an approach intended to block China’s Huawei and ZTE from competing for new 5G networks in Europe and Asia.

Huawei Technologies v. U.S.: Summary and Context (Lawfare) Chinese telecom giant Huawei has sued the U.S. for what it calls an unconstitutional government-wide ban on its products.

How the EU's AI ethics guidelines will impact US businesses (TechRepublic) The EU's guidelines offer a framework for ethical, trustworthy artificial intelligence for businesses and governments.

Web’s ‘Dark Patterns’ Targeted as U.S. Senators Take Aim at Tech (Bloomberg) Two U.S. senators introduced a bipartisan bill that would ban "manipulative" design features and prompts that let large websites such as Alphabet Inc.’s Google or Facebook Inc. "trick consumers into handing over their personal data."

Maintain Voter Confidence. Enhance the Voting Experience. (Election Systems & Software) Dear Senators Klobuchar, Peters, Reed, and Warner: Thank you for your letter of March 26, 2019, and for the opportunity to discuss how Election Systems & Software (ES&S) is working with many stakeholders, including the U.S. government, to secure and ensure faith in our system of democracy. Please find below the answers to your questions.

Bill would create cybersecurity grant program for state and local governments (StateScoop) The bipartisan bill, sponsored by Sens. Mark Warner and Cory Gardner, is similar to one introduced two years ago but failed to advance.

Department of Homeland Security loses another top official as acting deputy secretary Claire Grady resigns (Newsweek) Claire Grady’s resignation comes amid a Trump administration shakeup in recent days which has seen several top officials ousted from their roles.

Nielsen's departure raises questions about cyber plans (TheHill) Kirstjen Nielsen’s departure as head of Homeland Security is creating uncertainty about the agency’s cyber efforts.

A Secretary for Cyber Homeland Security (Forbes) Secretary Nielsen resigned on Sunday from her post as Secretary for DHS. In her short time in office, she championed and was a leader for Cybersecurity in the Government, and her departure leaves a question mark over Cyber. To the new Secretary, please keep Cyber at the top of your agenda!

Litigation, Investigation, and Enforcement

Watchdog Questions NSA’s $636 Million in Award Fee Incentive Contracts (Government Executive) Justifications of costs and benefits may not have served government’s interests.

Yahoo in new $117.5 million data breach settlement after earlier... (Reuters) Yahoo has reached a revised $117.5 million (89.8 million pounds) settlement with...

Attorney General William Barr says Mueller report’s release likely ‘within a week’ (Washington Post) The routine budget hearing comes as Barr is reviewing the special counsel’s report to see what more can be released publicly.

Here Is When The FISA Abuse Investigation Will Be Done (Daily Caller) William Barr said that an investigation into whether the FBI abused the surveillance court process during the Russia probe will be completed by May or June.

Canadian regulator says Equifax fell short of privacy compliance (Reuters) Equifax Inc and its Canadian unit fell far short of their privacy obligations, a...

Equifax forced to report to the Privacy Commissioner of Canada for six years as a result of 2017 data breach (Ottawa Citizen) The Office of the Privacy Commissioner of Canada will monitor American credit agency Equifax Inc. for the next six years after an investigation into a massive data breach of personal information at…

Scheme to Swap Fake iPhones Adds Up to $900,000 Loss for Apple, Prosecutors Say (New York Times) Two college students in Oregon are accused of tricking Apple into replacing nearly 1,500 counterfeit iPhones with genuine ones that were later sold.

Deputies arrest former Raytheon employee accused of making threats via email (Tampa Bay Newspapers) Pinellas County Sheriff’s deputies arrested a 31-year-old St. Petersburg man April 8 in connection with threats to do violence at his former workplace in Seminole.

Triton actor seems to be back. TajMahal APT has been around, quietly, for about five years. Notes on Patch Tuesday.