The CyberWire Daily Briefing 1.10.19

Summary

By the CyberWire staff

Proofpoint researchers describe two hitherto undocumented strains of malware, ServHelper (a backdoor) and FlawedGrace (a remote access Trojan) now being used in the wild by TA505.

WIRED has an account of how ISIS is turning from social networks to chat apps.

Reddit, which locked down a large number of accounts over security suspicions aroused by unusual activity in those accounts, is systematically restoring users' access.

The "shelf life, three weeks" tweets said to have aroused such suspicion at NSA in 2016 were apparently turned over to NSA by Kaspersky, say anonymous sources not authorized to discuss what they know. The tweet was addressed to "Yevgeni," presumably Eugene Kaspersky himself, by @HAL999999999 as Ars Techica reports. Thus it was Kaspersky, the Washington Post notes, and not US counterintelligence officers, who first twigged to the possibility that someone may have been getting ready to leak classified information, and that warning is being connected to Hal Martin's arrest.

Two points are worth making. First, Mr. Martin, who's entitled to the presumption of innocence, is charged with mishandling and unlawful retention of classified material, not with passing it to anyone. So the ShadowBrokers' leaks that soon followed the tweets may be coincidental (if one believes in such things). Second, as interesting as we find reading and writing about this developing story, the fact that anonymous sources not authorized to speak are speaking as much as they are suggests that US Federal insider threat programs remain more loosey-goosey than the Intelligence Community would probably hope.

Learn how Cylance silences cyber attacks with Artificial Intelligence.

Notes.

Today's issue includes events affecting Canada, China, Estonia, India, Iraq, Israel, Japan, Latvia, Lithuania, Norway, Russia, Syria, and United States.

Visualize Your Network Like the Most Infamous Hackers

Cyber threats are becoming more frequent and targeted. Bad actors are more adept at social engineering and investigating your network and infrastructure to understand your organization’s cyber strengths and weaknesses. This webinar delves into a robust threat model capable of repelling the world's most sophisticated hackers and nation-state actors. Join us for an introduction to ScoutThreat™, a threat management platform that helps analysts streamline threat analysis work and extract the maximum value from threat intelligence.

On the Podcast

In today's podcast, out later this afternoon, we speak with our partners at the University of Maryland, as Jonathan Katz discusses updated WiFi security. Our guest is Ameesh Divatia from Baffle on the growing frustration with how companies handle our private information.

And Hacking Humans is up. This episode, "Trained humans are your strongest link," features a warning about scammers gaining access to homes by pretending to be workers from the local utility company. Joe shares a story of a sophisticated bank transfer scam in the UK. Our catch of the day outlines an attempted email scam targeting an architectural firm. Carole Theriault is back with the second part of her interview with the pen tester who goes by the name freaky clown.

Sponsored Events

Rapid Prototyping Event: The Wolf in Sheep's Clothing (Columbia, Maryland, United States, January 29 - 31, 2019) DreamPort, in conjunction with the Maryland Innovation & Security Institute and USCYBERCOM, is hosting a Rapid Protoyping Event which is interested in identifying UAM solutions that employ advanced real-time analysis of multiple data sources for detecting unauthorized activities.

Selected Reading

Cyber Attacks, Threats, and Vulnerabilities

A Growing Frontier for Terrorist Groups: Unsuspecting Chat Apps (WIRED) While major messaging and social media platforms like Facebook, Twitter, YouTube, and Telegram are becoming increasingly inhospitable to ISIS, the group's reach is growing on lesser-known messenger apps designed for businesses and gamers.

ServHelper and FlawedGrace - New malware introduced by TA505 (Proofpoint) Proofpoint researchers detail two undocumented pieces of malware being used by TA505.

The D in SystemD stands for Dammmit... Security holes found in much-adored Linux toolkit (Register) Patches pending for distros to deal with threat of local privilege escalation to root

r/help - Recently locked out of your account? Help is on the way (Reddit) If you are here because you’ve been locked out of your account in the last day or so, you’re in the right place and we want to help you get your account back in working order.

Malvertising Campaign Delivers Info-Stealer + Ransomware (Infosecurity Magazine) Malwarebytes warns users of double whammy

Rogue iOS Apps Sent Data to Malicious Server (Security Boulevard) Researchers have come across several games in the iOS app store that sent information to and communicated with a known malicious server.

New Side-Channel Attack Targets OS Page Cache (SecurityWeek) Researchers who disclosed Meltdown, Spectre and other similar attacks are now back with a new type of side-channel attack, one that is hardware agnostic and targets the operating system page cache.

A year of data infection over protection - the rise of Magecart (IT Pro Portal) Considering the alarming rate at which digital credit card skimmers are found to be compromising e-commerce sites, what do businesses need to know about Magecart?

ONWASA: $277K spent on recovery, defense after cyber attack (The Daily News) ONWASA spent approximately $277,000 on recovery and on changing the types of defenses they employ following a cyber hack in October.

Swindler Dupes Georgia Health System Finance Director Into $1.2M Wire Payment (HealthLeaders Media) Police are investigating after the executive reportedly sent organization funds to someone posing as a representative of a construction company doing work for the health system.

Phishing emails only going to get smarter, warns security firm (IT Brief) Phishing emails typically mimic the look and feel of an email written by someone in authority, such as a bank, or even a colleague.

Security Patches, Mitigations, and Software Updates

Adobe Releases January 2019 Security Updates. None for Flash Player! (BleepingComputer) Adobe released their January 2019 Patch Tuesday updates today for Adobe Connect and Adobe Digital Editions. Updates were also released for Flash Player, but none of them are for security fixes!

Microsoft pulls buggy Office 2010 January updates (ZDNet) Microsoft's preparations for a new Japanese era coming later this year break Excel.

It’s raining RCE flaws (The Daily Swig | Web security digest) Seven critical updates in Microsoft’s new year Patch Tuesday

Snapchat adds end-to-end encryption to protect users' messages (The Telegraph) The messaging app Snapchat has introduced end-to-end encryption, protecting the disappearing photos shared between its users from being intercepted.

SAP Releases 'Hot News' Security Notes on First Patch Day of 2019 (SecurityWeek) SAP released its first Security Patch Day for 2019, which includes a total of 11 Security Notes, two of which are rated as Hot News.

Google Patches Critical Vulnerability in Android (SecurityWeek) Google has released its first set of monthly security patches for Android in 2019, with fixes for more than two dozen vulnerabilities.

Cyber Trends

Web Vulnerabilities Up, IoT Flaws Down (Dark Reading) The number of flaws found in WordPress and its associated plugins have tripled since 2017, while Internet of Things vulnerabilities dropped significantly, according to data collected by Imperva.

The State of Web Application Vulnerabilities in 2018 (Imperva) This blog provides an analysis of all web application vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. This look back at 2018 helps readers to understand the changes and trends in web application security over the past year.

WordPress-Related Vulnerabilities Tripled in 2018 (BleepingComputer) WordPress-related vulnerabilities have seen a 300% increase in 2018 compared to the previous year, a recent study has found. Most of the bugs were in the plugins that extend the functionality of WordPress websites.

Email security predictions: What we can expect in 2019 (Help Net Security) 2018 shed a lot of light on how expensive successful phishing attacks can be, with the FBI reporting in July well over $12B in financial losses due to

Most Israelis confident nation ready for major cyber-attack (The Jerusalem Post) Israelis are far more trusting than others that their country is safe from cyber-attacks, are they right?

Analysis | The Cybersecurity 202: Democrats are more concerned about election security than Republicans, survey finds (Washington Post) Cybersecurity’s a partisan topic now. Get used to it.

Marketplace

Parsons acquires geospatial intelligence provider OGSystems (C4ISRNET) OGSystems will bolster Parsons' intelligence and artificial intelligence offerings.

Hui Huliau Acquires AC4S (PR Newswire) Hui Huliau announced today the acquisition of Advanced C4 Solutions Inc. (AC4S), a leader in C4, professional...

Sophos snaps up cloud infrastructure specialist Avid Secure (ZDNet) The small company bounces between California and India.

Why FireEye Stock Dropped 19% in December -- The Motley Fool (The Motley Fool) A Wall Street firm sees limited upside for the cybersecurity company's shares.

Symantec Appoints Sue Barsamian To Its Board of Directors (AP NEWS) Symantec Corp. (NASDAQ: SYMC) today announced that its Board of Directors (the “Board”) appointed Sue Barsamian and Richard S. “Rick” Hill as members of the Board, effective January 7, 2019.

Check Point Taps VMware’s Frank Rauch to Lead Global Channels (Channelnomics) VMware, HP veteran to oversee worldwide channel sales for security vendor

Logikcull, Leader in Corporate Data Governance, Announces Appointment of Technology Executive Bill Welch to Board of Directors (PR Newswire) Amid rising scrutiny paid to corporate data governance, including legal discovery where the risks and costs are...

Products, Services, and Solutions

Respond Software and Norwich University Defend NCAA College Football Playoff Championship (PR Newswire) On Monday, January 7, 2019, the Clemson Tigers and Alabama Crimson Tide faced off for one of the largest...

Intelity Partners with Acuant to Further Streamline Guest Check-in and Mobile Key Delivery (Acuant) Intelity and Acuant partner to offer secure ID verification for hotels including mobile check-in remote identity check to streamline guest experience.

Hyatt launches public bug bounty program with HackerOne (Hyatt Newsroom) Adds an additional layer to Hyatt’s cyber security strategy

Microsoft spins off security, compliance bits from Microsoft 365's priciest plan for E3 customers (Computerworld) Microsoft is adding two new M365 add-on plans for corporate customers already subscribing to the Enterprise E3 version.

Microsoft Adding Office 365 Threat Auto-Investigation to GCC Offering (BleepingComputer) The auto-Investigation with threat playbooks feature was included in the roadmap in October and was now also added to Microsoft's future Office 365 Government GCC offering

A10 Networks Thunder® Convergent Firewall Selected for 5G Network Deployment by Major Japanese Mobile Carrier (BusinessWire) A10 Networks (NYSE: ATEN), a leading provider of intelligent and automated cybersecurity solutions, today announced a major Japanese mobile carrier ha

Graphus Integrates with Phishing Awareness Training Solutions (PRWeb) In the latest release of Graphus® they have implemented several new features and enhancements to their platform and one in particular that is very exciting is

Bromium Secure Browsing Isolates Intelligently and Maximizes Browser Choice (Security Boulevard) Web browsing is intensely personal, even at work. Users develop strong preferences, tend to lock in a browser early, and are fiercely loyal to their favored choice.

UNITED STATES : Looking Glass, Darkmatter's cyber-intelligence broker (Intelligence Online) The US cyber-security firm LookingGlass Cyber Solutions (LGC), which will be at the Gulf Information Security Expo and Conference (GISEC)

Rohde & Schwarz Unveils New DPI Features for vEPC (Fast Mode) ipoque, a Rohde & Schwarz company providing market-leading deep packet inspection (DPI) software, announced new R&S PACE 2 capabilities for the virtualized evolved packet core (vEPC) market.

Rackspace authorised to host Aussie government data (CRN Australia) Approved up to the unclassified level.

FireEye updates Email Security with new threat detection and evasion defenses (Help Net Security) FireEye Email Security enhancements include executive impersonation protection, URL protection, password-protected image analysis.

Gemalto helps simplify and secure IoT connectivity to the AT&T network with eSIM and IoT module (Help Net Security) Gemalto is helping simplify and secure IoT connectivity for AT&T customers by integrating its embedded SIM (eSIM) inside the Cinterion LTE-M IoT module.

Xerox enhances AltaLink Workplace Assistants (Help Net Security) New software enhancements to these Workplace Assistants, allow companies to monitor critical security settings and automatically reset unauthorized changes.

Polyverse announces technology partnership with Red Hat (Help Net Security) Polyverse’s Polymorphic Linux has been tested and certified for use on the platform, ensuring performance and compatibility for enterprise customers.

Deception for proactive defense (Help Net Security) This article is fourth in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks.

Technologies, Techniques, and Standards

Countering Russian disinformation the Baltic nations' way (The Conversation) European countries, especially the Baltic states of Estonia, Latvia and Lithuania, have confronted Russian disinformation campaigns for decades. The US can learn from their experience.

What will it take to monitor and secure mobile military networks? (C4ISRNET) Soldiers in combat require immediate access to information, which requires a dependable and secure network. Army leaders must have a system in place that allows them to quickly address problems and bottlenecks as they occur.

SingHealth COI makes 16 recommendations to strengthen cyber defence (The New Paper) A senior manager at Integrated Health Information Systems (IHiS) did not report the cyber attack as he feared added pressure and more work. With no clarity on how such incidents should be reported, a junior staff member who discovered the breach left it to her direct...

Buyer Beware: Autonomous Security is a Myth (SC Media) Cybersecurity artificial intelligence (AI) needs to exist before it can save us. The excessive use of AI in marketing materials has left those looking for

Understanding how data becomes intelligence is central for any successful security program (Help Net Security) Threat intelligence is one of the hottest terms in information security at the moment. But, as with so many buzzwords, it is often overused and misused.

5 Key Features Your Security Risk Assessment Should Have (Panorays) Security risk assessments are critical for measuring supplier security posture, but they can be cumbersome and time-consuming. Here are top 5 features for an effective security risk assessment.

GDPR: Five tips for organizations to remain compliant (Help Net Security) For the majority of UK businesses, a huge amount of time and resource was invested to become GDPR compliant in time for the May 2018 deadline. The cost of

Research and Development

CyberX Receives U.S. Technology Patent for ICS Threat Monitoring Analytics (POWER Magazine) CyberX Receives U.S. Technology Patent for ICS Threat Monitoring Analytics

Academia

Cybersecurity a must in curriculum in increasingly digital classrooms (Education Dive) An ability to responsibly navigate online threats is as critical as grasping life skills taught in home economics — and educators must learn, too.

Legislation, Policy and Regulation

Norway considering whether to exclude Huawei from building 5G network (Reuters) Norway is considering whether to join other western nations in excluding China...

Japan and India to discuss space and cyberspace at upgraded 'two-plus-two' security talks (The Japan Times) The two nations will aim to launch ministerial security talks early this year to deepen security cooperation, Foreign Minister Taro Kono said.

Senate Bill Demonstrates Continued Interest in the Federal Acquisition Supply Chain (JD Supra) For years, United States security agencies have recognized a threat to government information technology systems posed by contractor supply chains....

INSIDE THE RING: Foreign hacker threat grows for private sector (The Washington Times) The National Counterintelligence and Security Center this week launched a campaign to alert the public to growing threats posed by hackers from China, Russia and other foreign adversaries.

Shutdown delays TSA data-security efforts (FCW) The standoff over a controversial border wall is holding up activity on a planned overhaul of key transportation security systems.

Litigation, Investigation, and Enforcement

Kaspersky blew whistle on NSA hacking tool hoarder (Ars Technica) Kaspersky passed suspicious Twitter messages from Martin to US government.

Russian firm that was barred from U.S. networks as a spy threat helped NSA nab suspect in massive breach (Washington Post) Kaspersky Lab alerted the NSA it had received strange Twitter messages from an agency worker who was subsequently arrested.

Hal Martin's defense says prosecutors have yet to provide essential evidence (CyberScoop) Attorneys for Harold T. Martin III, the former U.S. National Security Agency contractor accused of perhaps the largest theft of government secrets in American history, said in a court filing that government prosecutors have not allowed access to evidence necessary to mount a sufficient defense.

Further Investigations Show Ties of China's Huawei To Iran (Forbes) A Reuters report says Huawei looks to have done business with Iran and Syria.

New documents link Huawei to suspected front companies in Iran, Syria (CNBC) U.S. authorities allege CFO Meng Wanzhou deceived international banks into clearing transactions with Iran by claiming the two companies were independent of Huawei, when in fact Huawei controlled them.

Canadians support Ottawa’s decision to arrest Huawei executive, poll shows (The Globe and Mail) Canada’s arrest of Meng Wanzhou has severely strained relations with Beijing, sparking angry demands for her to be returned home and the imprisonment of two Canadians

Chinese envoy accuses Canada of ‘white supremacy’ for demanding release of Canadians (The Globe and Mail) Canadian authorities arrested Meng Wanzhou in December at the request of the United States

Lieberman's ZTE Work Makes Him a Foreign Agent: Complaint (Bloomberg) Former Senator Joe Lieberman should register as a foreign agent for his work on behalf of embattled Chinese telecommunications company ZTE Corp., according to a complaint filed with the Justice Department today by the Campaign Legal Center.

Senators Call on FCC To Investigate T-Mobile, AT&T, and Sprint Selling Location Data to Bounty Hunters (Motherboard) After Motherboard’s article, Senators Kamala Harris, Mark Warner, and Ron Wyden are coming out against telcos who are selling their customers' location data.

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

PCI Security Standards Council 2019 India Forum (New Delhi, India, March 13, 2019) You’re invited to a day of networking opportunities and educational sessions as the PCI Security Standards Council holds its first ever India Forum in New Delhi, India. You won’t want to miss our engaging roster of payment and cyber security experts who will discuss challenges and opportunities for data security in India and provide updates on the latest standards and solutions for protecting payments. We provide you the information and tools to help secure payment data. We lead a global, cross industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent criminal attacks and breaches. Don’t miss out!

InfoSec World 2019 (Lake Buena Vista, Florida, USA, April 1 - 3, 2019) Cybersecurity has come a long way in 25 years, and InfoSec World has been there through it all. That's right, InfoSec World 2019 Conference & Expo is returning to Disney's Contemporary Resort on April 1-3, 2019, and we're celebrating 25 years of being the business of security conference. Join your peers and our experts as we come together as a community once again to not only sharpen our cybersecurity skills, but to discover what it takes to be a valued business partner and enabler as well.

2019 Industrial Control Systems (ICS) Cyber Security Conference (Singapore, April 16 - 18, 2019) As the largest and longest-running cyber security-focused conference for the industrial control systems sector, the event caters to the energy, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations, including the military. The conference will address topics covering ICSs, including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices. Delegates can look forward to a fantastic 3-day event filled with talks world renowned experts unfettered panel discussions, experience sharing, new research findings, new technologies, and international networking; all in a comfortable and glamorous setting at the Fairmont Singapore.

upcoming Events

SINET Global Institute CISO Series (Scottsdale, Arizona, USA, January 15 - 16, 2019) By invitation only. These intimate CISO workshops address the challenges that Board of Directors are placing on security and risk executives, and how to successfully manage and communicate today’s enterprise and organizational threats. These are an intense “roll your sleeves up” thought leadership discussions on How Cyber is Driving the New Board Perspective on Enterprise Risk Management. Attendance is limited to 30 Security and Risk Executives from Global 2000 corporations.

CPX Asia 360 2019 (Bangkok, Thailand, January 21 - 23, 2019) CPX 360 - the industry’s premier cyber security summit and expo - brings together the world’s leading cyber security experts to one venue. Gain a deep understanding of current challenges cyber security professionals face. Experience insightful Cyber Talk keynotes, conference sessions, and hands-on labs covering the latest innovations. Register today!

CPX Americas 360 2019 (Las Vegas, Nevada, USA, February 4 - 6, 2019) CPX 360 promises to be the premier cyber security summit. CPX 360 is where you’ll receive up-to-the-minute intelligence about global threats and other vital topics from the world’s leading cyber security experts. In addition, you’ll enjoy getting hands on with cutting-edge security solutions from Check Point, networking with your peers, and celebrating with the world’s cyber security elite. If you attend one cyber security event this year, make it CPX 360.

QuBit Conference Belgrade 2019 (Belgrade, Romania, February 7, 2019) QuBit is a Cybersecurity Community Event connecting the East and West. We create a unique way to meet the best and the brightest minds in the information security fields across multiple industries, and all carrier levels. We are collecting great feedbacks on past conferences so we would be glad to cooperate with you, too. QuBit Conference consists of one day (2 in Prague) full of educational presentations, keynotes, case studies and interactive panel discussions in QuBit way - community spirit and tons of great networking opportunities. Not to mention popular pre-conference hands on training held a day before conference.

NITSIG Meeting: Insider Threat Detection & Mitigation Using External Data Sources (Laurel, Maryland, USA, February 12, 2019) Gathering and analyzing Internal data sources is very important for Insider Threat Detection. Equally important is knowing what External data sources are also available to create the "Big Picture" of potential / actual Insider Threats. This meeting will focus on the many External data sources that are available from various companies, for organizations and businesses that want to be proactive in "Employee Threat Identification". This meeting will also provide insight into the possibility that your company's data may be "For Sale" on the Dark Web, and how to locate it.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

TA505 using new crimeware strains. ISIS turns to chat apps. Reddit's cautious lockdown. The strange tweets of @HAL999999999.