The CyberWire Daily Briefing 4.16.19

Cyber Attacks, Threats, and Vulnerabilities

Pirates of Brazil: Integrating the Strengths of Russian and Chinese Hacking Communities (Recorded Future) New research from Insikt Group examines the history of Brazil’s cybercriminal underground, including their tactics, techniques, and procedures.

Adblock Plus filters can be abused to execute malicious code in browsing sessions (ZDNet) The vendor was not aware of the problem until public disclosure.

Ecuador says hit by 40 million cyber attacks since Assange arrest (AFP) Ecuador said on Monday it has suffered 40 million cyber attacks on the webpages of public institutions since stripping Wikileaks founder Julian Assange of political asylum.

Microsoft admits Outlook.com hackers were able to access emails (Verge) The security breach was worse for some than others

Bruteforce bot recruitment uses GoBrut malware on content management systems (SC Media) Security researchers have discovered a new GoBrut botnet variant and C2 server being used to mount bruteforce attacks on content management systems to recruit new bots.

A hacker has dumped nearly one billion user records over the past two months (ZDNet) Hacker Gnosticplayers has stolen over 932 million user records from 44 companies.

Energy industry needs to up cyber defences, warns report (ComputerWeekly) Cyber threat actors are advanced and persistent, but firms in the energy industry are using outdated systems and technology to save money, putting them at risk of cyber attacks, warns F-Secure report

The State of the Station (F-Secure) A report on attackers in the energy industry

Naval Dome: Industry Should be on Red Alert for Cyber Attack (The Maritime Executive) The maritime sector is being targeted by highly motivated cyber criminals, and the shipping industry...

After Middle East, Russia-backed Triton targeting American enterprises (The National) Malware caused a shutdown of a regional petrochemical plant twice

Outside-the-box malware is getting more common, security researchers warn (CSO Online) Malware authors have been experimenting with unusual malware formats, and this presents new challenges for the security industry.

As China Hacked, U.S. Businesses Turned A Blind Eye (NPR) The U.S. has largely failed to stop Chinese cybertheft of U.S. companies, but the companies themselves led the charge in keeping it under wraps.

Experts: Breach at IT Outsourcing Giant Wipro (KrebsOnSecurity) Indian information technology (IT) outsourcing and consulting giant Wipro Ltd. [NYSE:WIT] is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity. Wipro has refused to respond to questions about the alleged incident.

Wipro hacked and used to attack customers, says report (CRN Australia) Wipro is probing allegations that it's been breached, big-time.

Wipro investigates security breach believed to be perpetrated by state-sponsored attacker (Computing) Wipro systems compromised following phishing campaign used to target 'at least a dozen' clients, according to insiders

New HawkEye Reborn Variant Emerges Following Ownership Change (Cisco Talos) A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

Microsoft Outlook Breach Now Impacts MSN And Hotmail Accounts, Report Says (Threatpost) A Microsoft Outlook breach that was disclosed on Friday is thought to be much larger than previously said, a new report found.

Microsoft Email Hack Shows the Lurking Danger of Customer Support (WIRED) Hackers spent months with full access to Outlook, Hotmail, and MSN email accounts—and got in through Microsoft's customer support platform.

Microsoft hack “another case of insider threat” (Verdict) The Microsoft hack that saw Outlook.com accounts accessed between 1 January and 28 March 2019 is the latest example of insider threat.

New Details Emerge on Windows Zero Day (Dark Reading) The CVE-2019-0859 vulnerability, patched last week, is the latest in a string of Windows local privilege escalation bugs discovered at Kaspersky Lab.

Kaspersky Labs Discovers 'Previously Unknown Vulnerability' in Microsoft Windows (Infosecurity Magazine) Kaspersky Labs believes it was an attempt to gain full control over a targeted device.

Sophos Investigates Microsoft Reboot Failures Following Software Update (Infosecurity Magazine) Sophos has been looking into reports of boot-up failures.

Security researcher exposes zero-day WordPress vulnerabilities (TechRadar) 160,000 websites were exposed to potential attacks

Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec (TrendLabs Security Intelligence Blog) Ransomware may have experienced a decline in 2018, but it seems to be getting back on track — only this time, attacks are looking to be more targeted. Coming on the heels of news about a ransomware attack against a U.S. beverage company which addressed the company by name in the ransom note, this blog post looks into a BitPaymer ransomware variant (detected by Trend Micro as Ransom.Win32.BITPAYMER.TGACAJ) that hit a U.S. manufacturing company.

Fake Instagram Apps on Google Play Harvest User Logins (Threatpost) The apps, which claim to help users rack up followers, are well-rated and have been downloaded tens of thousands of times.

Scammers With Verified Instagram Accounts Cheating 'Influencers' With Fake Verification Service (Forbes) The scammer promised verification in just 45-60 minutes.

Three apps claiming to improve Instagram exposed as an insta-scam (SC Media) Three Android apps that supposedly helped Instagram users increase likes and followers, plus improve the experience, were actually stealing credentials.

‘Nasty List’ Phishing Scam Targets Instagram Users (Infosecurity Magazine) Direct messages are spammed out from hijacked accounts

Why you shouldn't buy fake followers and likes on Instagram (Evening Standard) We know we shouldn’t measure our self-worth via Instagram likes or a high follower count but we often can’t help comparing ourselves to friends and peers just a little bit. Unfortunately, if you take measures to improve that count on the sly, say in the form of downloading apps to boost likes or followers, it most certainly will do more harm than good.

Mobile VPNs Promoted by 'You Are Infected' or 'Hacked' Ads (BleepingComputer) Mobile VPN affiliates are displaying scam ads that state your mobile device is infected, has been hacked, or is being tracked in order to scare visitors into purchasing a subscription.

Flood of exploits targetting ancient WinRAR flaw continues (Naked Security) An ancient WinRAR vulnerability made public in February is now well on its way to becoming one of the most widely and rapidly-exploited security flaws of recent times.

TicTocTrack Smartwatch Flaws Can Be Abused to Track Kids (Threatpost) A popular Australian smartwatch's tracking capabilities expose its user's locations, personal data and more.

Vulnerability Summary for the Week of April 8, 2019 (US-CERT) The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

IBM admits its own errors led to multiple cloud crashes (CRN Australia) Issue goes back eight months before actual outage.

Security Patches, Mitigations, and Software Updates

Patched Windows Zero-Day Provided Full Control Over Vulnerable Systems (BleepingComputer) A Windows zero-day vulnerability which got patched by Microsoft as part of the company's April 2019 Patch Tuesday together with 73 other flaws could allow potential attackers to take full control of vulnerable systems.

Cyber Trends

The Daily 202: How the nature of cyberwar is changing (Washington Post) Government systems remain vulnerable as more adversaries play the game.

Kaspersky: 70 percent of attacks now target Office vulnerabilities (ZDNet) That's more than four times the percentage the company was seeing two years before, in Q4 2016.

The Illusive 99.9% (Nyotron) Study of the efficacy of modern antivirus products against known malware

Credential stuffing: Canada’s newest cyber threat (Canadian Underwriter) A new cyber threat called “credential stuffing” is emerging, and Canada is the third-most targeted country in the world, according to a new report. Credential stuffing is when hackers take a stolen username and password and then run it through…

Skating on thin ice - CISOs crack under stess of job insecurity & lack of resources (SC Media) CISOs are turning to drink, drugs & meditation to overcome the inevitability of breaches in the face of inadequate human or financial resources to defend their organisations; as 1 in 5 are available 24/7.

Bad security hygiene still a major risk for enterprise IT networks (Help Net Security) Unpatched vulnerabilities, along with network and app complexity pose an ongoing security risk which could threaten the security of enterprise IT networks.

Marketplace

Thousands of leaked Facebook documents show Mark Zuckerberg as ‘master of leverage’ in plan to trade user data (NBC News) Facebook’s leaders seriously discussed selling access to user data — and privacy was an afterthought.

15 Months of Fresh Hell Inside Facebook (WIRED) Scandals. Backstabbing. Resignations. Record profits. Time Bombs. In early 2018, Mark Zuckerberg set out to fix Facebook. Here's how that turned out.

Behind KKR's Big Bet On Cybersecurity (Fortune) Ninety percent of security flaws still occur at the worker or consumer level

Tufin: The Right Way To IPO (Seeking Alpha) Tufin has an IPO today on the NYSE. Unlike several of the recent IPOs, this one seems fairly priced. I would consider buying at these levels.

Amenity Analytics raises $18 million for AI that parses regulatory filings and earnings calls for key points (VentureBeat) Amenity Analytics has raised $18 million for natural language processing technology that detects sentiment and more in coverage and social media activity.

97% of Gemalto shares have been tendered to the Thales offer (AP NEWS) Reference is made to the joint press release by Thales (Euronext Paris: HO) and Gemalto (Euronext Amsterdam and Paris: GTO) dated 29 March 2019 on the results of the recommended all-cash offer by Thales for all the issued and outstanding shares of Gemalto (the Offer) in which the Offer was declared unconditional and the Post-Closing Acceptance Period was announced.

Blue Hexagon bets on deep learning AI in cybersecurity (SearchSecurity) Network security provider Blue Hexagon is using deep learning to detect network threats. Learn what security experts have to say about using AI in cybersecurity.

Corero Network sets sights on profitability as cyber attacks grew (Proactiveinvestors UK) Corero Network Security PLC (LON:CNS) - Corero Network Security PLC specialises in cyber-security software

Rapid7: A New leader in Cybersecurity? (MoneyShow) Cybersecurity is one of the leading sectors of this new bull market, but the best performers in that space have been lesser-known names that are bu

The Women's Society of Cyberjutsu Announces the Wicked6 Cyber Games (PR Newswire) Today, the Women's Society of Cyberjutsu announces the Wicked6 Cyber Games, a cybersecurity exhibition and...

Products, Services, and Solutions

VirtualArmour Wins $300,000 Cybersecurity Contract with Subsidiary of Major Pharmaceutical Company (West) VirtualArmour International Inc. (CSE:VAI) (OTCQB:VTLR), a premier cybersecurity managed services provider, has won a new managed and professional services contract with a subsidiary of a Fortune Global 2000 pharmaceutical manufacturing company headquartered in California.

CIS Hardened Images Launched on Google Cloud Shielded VMs (PR Newswire) CIS® (Center for Internet Security, Inc.) today announced the availability of its CIS Hardened Images™ on...

After hackers access Microsoft's email service Centrify makes a case for enterprise Zero Trust Privilege (Techaeris) According to Microsoft, the hack occurred between January 1st and March 28th of this year.

Verizon strengthens commercial messaging platform (Telecoms.com) After providing call filtering features for free, Verizon is going to update its commercial messaging platform to better protect customers.

Maintech IT Support Solutions with a Focus on Security (PR Newswire) Maintech, Incorporated, a global leader in IT Infrastructure Services, provides multi-platform Hardware...

Technologies, Techniques, and Standards

Security Think Tank: Seven steps to manage risk of catastrophic cyber attack (ComputerWeekly) How should businesses plan to survive a potential cyber attack extinction event?

The cyber teams that helped stop Russian election interference (Fifth Domain) Cyber forces were given the mission to deter Russian attempts to influence the 2018 midterm election.

How an annual ‘Cyber Shield’ drill helps the National Guard secure elections (CyberScoop) Prior to the 2018 midterm elections, multiple states activated their National Guard forces to protect the vote from cyberthreats.

Census Bureau counts on new cybersecurity concerns (Fifth Domain) The U.S. Census Bureau identified more than 1,100 census system security weaknesses last year, according to a March report from the Government Accountability Office. Now, the Bureau is working to keep its data safe from hacks.

Can Private Coalitions Ensure Internet Safety? (Newsmax) The old playbook has been tech behemoths determining how best to safeguard ensure consumer privacy and security. This overreliance on a few to protect the many is plainly not working.

Challenges and benefits of using the Mitre ATT&CK framework (SearchSecurity) Not all cybersecurity frameworks are equal. Getting started using the Mitre ATT&CK security framework means putting in some work -- but the benefits should make the effort worthwhile.

How Palo Alto Networks fends off its cyber adversaries (ComputerWeekly) Palo Alto Networks CIO Naveen Zutshi talks up the company’s approach in keeping threat actors at bay.

Is your DDos Mitigation Strategy Terabit-Proof? (Infosecurity Magazine) Larger and stronger DDoS attacks require a new approach to mitigate them

AI in Cybersecurity: Why Do Cyber-Hacks Still Succeed? (Ziften Endpoint Security) This is my 3rd blog on artificial intelligence (AI) in cybersecurity, coming in the wake of our recent announcement that Ziften Zenith has added Advanced anti-virus (AV) built on a foundation of AI. Previously, we took a look at how machine learning-based cybersecurity systems operate differently from traditional, signature-based antivirus software. We also discussed the …

Why Enterprise Anti-Virus Isn’t Working (Ziften Endpoint Security) Most headline-grabbing enterprise cyber attacks repeat the same sad story: Enterprise anti-virus products were deployed across the endpoint population, the most targeted asset class in the enterprise The anti-virus products did not prevent the attack or sound the alarm Attackers prowled across the victim cyber landscape undetected for weeks or months or even years Can …

Design and Innovation

Notre Dame: YouTube's New Fact-Check Tool Attached An Article About 9/11 To Videos Of The Fire (BuzzFeed News) The widget showing information about the Sept. 11 terror attacks appears to have been triggered by a new feature YouTube is testing to provide "topical context" around videos that might contain misinformation.

YouTube’s algorithm added 9/11 facts to a live stream of the Notre-Dame Cathedral fire (TechCrunch) Some viewers following live coverage of the Notre-Dame Cathedral broadcast on YouTube were met with a strangely out of place info box offering facts about the September 11 attacks. BuzzFeed first reported the appearance of the misplaced fact-check box on at least three live streams from major news …

A computerized YouTube fact-checking tool goes very wrong: In flaming Notre Dame, it somehow sees Sept. 11 tragedy (Washington Post) As images of the iconic spire falling to the streets played on YouTube, “information panels” appeared below the videos appearing to link it to the terrorist attack on Sept. 11.

Notre Dame fire: YouTube slammed after live footage appears with link to 9/11 info (Fox News) YouTube was slammed Monday after live footage of the devastating Notre Dame blaze appeared above a link to information on the 9/11 terrorist attacks.

Twitter blocks EFF tweet that criticized bogus takedown of a previous tweet (Ars Technica) Starz filed bogus takedown requests—Twitter eventually restored blocked tweets.

Starz Apologizes for Taking Down Tweets to Torrentfreak Article Following Security Breach (Variety) Updated. Facing a backlash over overzealous copyright enforcement, Starz issued an apology on Monday for inadvertently taking down tweets to articles about TV show piracy. The TV network said in a …

Dstl launches new game to recruit brightest minds for cyber work (GOV.UK) The Defence Science and Technology Laboratory (Dstl) has launched an online game to recruit more than 60 staff to work in Cyber and Information Systems.

Legislation, Policy and Regulation

Pentagon developing military options to deter Russian, Chinese influence in Venezuela (CNN) The Pentagon is developing new military options for Venezuela aimed at deterring Russian, Cuban and Chinese influence inside the regime of President Nicolas Maduro, but stopping short of any kinetic military actions, according to a defense official familiar with the effort.

US Knows It Must Do 'Something Quite Dramatic' to Overthrow Maduro - Analyst (Sputnik) According to an exclusive report by the Grayzone project, 40 top military advisors and strategists met during an event at the Center for Strategic and International Studies in Washington, D.C., to discuss possible US military intervention in Venezuela.

EU countries give final approval to copyright reform aimed at Google and Facebook (VentureBeat) The European Union approved a controversial, sweeping reform of copyright rules that includes provisions which critics argue will reduce free speech online.

Huawei should not be banned in Germany, says telecoms regulator (NS Tech) The head of the German telecoms regulator has suggested that Huawei will be allowed to participate in the roll out of the country's 5G infrastructure, dealing a blow to US efforts to curb the Chinese

Huawei Poses 'No Threat' According to Belgium, Trump Not Convinced (Infosecurity Magazine) The Belgian Centre for Cybersecurity won't issue

Huawei Has Skirted Outright Bans in Europe. But Not 5G Regulations (Bloomberg) Germany, France, U.K. have tightened regulatory standards. Huawei’s battle for piece of European pie enters key period.

U.S. to press allies to keep Huawei out of 5G in Prague meeting:... (Reuters) The United States will push its allies at a meeting in Prague next month to adop...

Analysis | The Cybersecurity 202: Nielsen’s departure will hurt DHS cybersecurity mission, experts say (Washington Post) They fear cybersecurity will struggle for attention as Trump focuses on the border.

House Homeland Committee wants more cyber funding for DHS (FCW) Twenty-eight of 31 members signed a letter to congressional appropriators arguing that the cyber mission at DHS is rising without a corresponding bump in resources.

Air Force hopes new organization can boost electronic warfare (C4ISRNET) Air Force leaders are touting the creation of a new information warfare organization earlier this month as a way to show the increasing importance of cyber and electronic warfare capabilities.

How America Plans to Stop the Next Inside Threat (The National Interest) The government has big plans to reform its security clearance process.

Litigation, Investigation, and Enforcement

Unsealed docs reveal new details in case against Assange (TheHill) A federal judge on Monday ordered the release of previously sealed documents filed in the case against Julian Assange, offering up new details about the U.S. government's allegations against the WikiLeaks founder.

Criminal complaint details case against Julian Assange (Washington Post) Investigators relied on his and Chelsea Manning’s online chats.

Affidavit in Support of a Criminal Complaint and Arrest Warrant (United States Magistrate Judge, Alexandria, Virginia) Source document contributed to DocumentCloud by Kadhim Shubber (Financial Times).

Big Companies Thought Insurance Covered a Cyberattack. They May Be Wrong. (New York Times) Citing a rarely used ‘war exemption,’ insurers say they aren’t responsible for the 2017 NotPetya attack.

Woman arrested at Mar-a-Lago will remain jailed. She was ‘up to something nefarious,’ judge says. (Washington Post) Yujing Zhang, who bypassed security at President Trump’s Florida resort, appears to be a flight risk, a magistrate judge said.

What Happened When The DEA Demanded Passwords From LastPass (Forbes) LastPass could only hand over IP addresses, billing information and details on how the suspected dark web drug dealer used the password manager.

ACCC teams with FBI for cartel probes (CRN Australia) Market-fixers face new trans-Pacific squeeze.

ICE Now Aided by ‘Enhanced’ Spy Powers (The Daily Beast) DHS’ intel chief says the immigration enforcement agency is now reaping the benefits of extra intelligence ‘collection’—and civil libertarians are concerned.

Is there a link between videogaming and cybercrime? Police think so (Naked Security) UK police are planning to issue online warnings to young gamers hoping to deter them from a life of cybercrime, they revealed last week.

Ghaziabad: It’s only April, but cyber fraud cases already half of those registered last year (The Times of India) The number of cases related to cyber fraud, cloning of ATM cards and theft of identity cards that are used in financial scams have spiked r.

Pregnancy Club Fined £400K After Illegally Sharing Data on Millions (Infosecurity Magazine) UK firm Bounty lucky to escape with pre-GDPR penalty

Wipro investigates compromise. DDoS in Ecuador. Facebook and privacy. EU copyright, 5G regulations. Fact-checking by algorithm.