The CyberWire Daily Briefing 4.24.19

Cyber Attacks, Threats, and Vulnerabilities

Sri Lanka Attack ‘Is the Wave of the Future’ (Foreign Policy) Returning Islamic State fighters are spreading “a really viral ideology” and looking for vulnerable countries to target, says terrorism expert Anne Speckhard.

Supply Chain Hackers Snuck Malware Into Videogames (WIRED) An aggressive group of supply chain hackers strikes again, this time further upstream.

ShadowHammer Targets Multiple Companies, ASUS Just One of Them (BleepingComputer) ASUS was not the only company targeted by supply-chain attacks during the ShadowHammer hacking operation as discovered by Kaspersky, with at least six other organizations having been infiltrated by the attackers.

Kaspersky Links ShadowHammer Supply-Chain Attack to ShadowPad Hackers (SecurityWeek) The sophisticated supply-chain attack called Operation ShadowHammer that targeted ASUS users can be linked to the "ShadowPad" threat actor and the CCleaner incident, Kaspersky Lab’s security researchers say.

Operation ShadowHammer: A High Profile Supply Chain Attack (Securelist) In late March 2019, we briefly highlighted our research on ShadowHammer attacks, a sophisticated supply chain attack involving ASUS Live Update Utility. Now it is time to share more details about the research with our readers.

Hotspot finder app blabs 2 million Wi-Fi network passwords (Naked Security) If you used WiFi Finder, your passwords to both public and private networks have been left online in an unprotected database.

Someone is spoofing big bank IP addresses – possibly to embarrass security vendors (CyberScoop) The last several days have seen a surge in internet traffic mimicking the IP addresses of big U.S. banks in a possible effort to disrupt the cybersecurity personnel and products that help protect organizations from malicious traffic, according to GreyNoise Intelligence, a company that maps internet traffic.

Fraudsters Target Magic Circle Law Firm’s Managing Partner (Today's Conveyancer) The UK managing partner of Magic Circle law firm Clifford Chance has been impersonated by scammers in a bid to con unsuspecting members of the public.

After Mueller report, Twitter bots pushed ‘Russiagate hoax’ narrative (NBC News) As social media platforms continue to prepare for the 2020 election, efforts to spread disinformation and sow discord remain an ongoing issue.

Carbanak Source Code Discovered on VirusTotal (SecurityWeek) The source code of a backdoor associated with the prolific FIN7 threat actor has emerged on VirusTotal alongside builders and other tools from the group, FireEye security researchers reveal.

Source code of Carbanak trojan found on VirusTotal (ZDNet) Carbanak source code has been available on VirusTotal for two years, and security firms didn't even notice.

DNSpionage Drops New Karkoff Malware, Cherry-Picks Its Victims (BleepingComputer) The DNSpionage malware campaign has added a new reconnaissance stage showing that the attackers have become more picky with their targets, as well as a new .NET-based malware dubbed Karkoff and designed to allow them to execute code remotely on compromised hosts.

Vietnam-Linked Hackers Use Atypical Executables to Avoid Detection (SecurityWeek) OceanLotus, a Vietnam-linked cyber-espionage group, has been using atypical executable formats in an attempt to avoid detection and hinder analysis, according security firm Malwarebytes.

Of hoodies and headphones: a spotlight on risks surrounding audio output devices (Malwarebytes Labs) For years, researchers have been poking holes in our audio output devices in the name of security and privacy. They've found many ways our headphones can be hacked or otherwise compromised. Learn what they discovered, and how you can secure your own.

Banking Trojan Drive-by Download Leverages Trust in Google Sites (SecurityWeek) Brazilian hackers have developed a drive-by download attack using a banking trojan known as LoadPCBanker that is deployed using the file cabinets template in Google sites as a delivery vehicle.

How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in (Washington Post) Tech companies are deciding between user convenience and potential damage to their brands.

Manufacturing giant Aebi Schmidt hit by ransomware (TechCrunch) Aebi Schmidt, a European manufacturing giant with operations in the U.S., has been hit by a ransomware attack, TechCrunch has learned. The Switzerland-based maker of airport maintenance and road cleaning vehicles had operations disrupted Tuesday following the malware infection, according to a sourc…

Examining Triton Attack Framework: Lessons Learned in Protecting Industrial Systems (SecurityWeek) Examining the Triton attack toolkit and methodology behind it now offers industrial manufacturers and OEMs, plant safety teams and IT/OT teams more insight into what they need to do to get ahead of hardening their networks.

New Twist in the Stuxnet Story (Dark Reading) What a newly discovered missing link to Stuxnet and the now-revived Flame cyber espionage malware add to the narrative of the epic cyber-physical attack.

Fujifilm FCR Capsula X/Carbon X (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 9.8ATTENTION: Exploitable remotely/low skill level to exploitVendor: FujifilmEquipment: FCR Capsula X/Carbon XVulnerabilities: Uncontrolled Resource Consumption, Improper Access Control2.

Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers (ICS-CERT) 1. EXECUTIVE SUMMARYCVSS v3 7.1ATTENTION: Exploitable remotely/low skill level to exploitVendor: Rockwell AutomationEquipment: MicroLogix 1400 and CompactLogix 5370 ControllersVulnerability: Open Redirect2. RISK EVALUATIONSuccessful exploitation of this vulnerability could allow a remote unauthenticated attacker to input a malicious link redirecting users to a malicious

Connectwise CEO defends security stance after Wipro breach (CRN Australia) It's not as if MSPs don't know they're juicy targets.

Bodybuilding.com Discloses Data Breach (SecurityWeek) Bodybuilding.com announced that hackers were able to access its systems after it discovered unauthorized access to our systems in February 2019.

Healthcare Firm EmCare Says 60,000 Employees and Patients Exposed in Breach (SecurityWeek) Dallas, Texas-based firm EmCare said that a number of employees' email accounts had been accessed, potentially exposing personal information of almost 60,000 people, including 31,000 patients.

Atlanta Hawks sniped by Magecart (Sanguine Security) Online credit card thieves - also known as Magecart - have managed to inject a payment skimmer in the online store of the Atlanta Hawks. Fans who ordered merchandize on or after April 20th had their name, address and credit card stolen.

Phone fingerprint scanner fooled by chewing gum packet (Naked Security) A video has surfaced claiming to show someone unlocking a Nokia 9 by tapping a gum packet against the fingerprint scanner.

Bullskin Township hit with cyber attack (The Daily Courier) The Pennsylvania State Police and FBI have been asked to investigate an incident in which Bullskin Township's computer system apparently came under attack by malware.

Security Patches, Mitigations, and Software Updates

Tumblr – finally – enables HTTPS for all accounts (TechCrunch) Better late than never, Tumblr has rolled out HTTPS across its entire site. In a brief post on Tumblr’s engineering page, the company said all Tumblr sites will now have the web encryption setting enabled by default, though it admitted the move was “long-overdue.” Tumblr, which li…

Machines running popular AV software go unresponsive after Microsoft Windows update (SC Media) April’s Microsoft Windows update is causing headaches for users who had previously installed AV software from Avast, Avira, ArcaBit, McAfee and Sophos.

Cyber Trends

Tackling Mental Health in Cybersecurity [Q&A with Dr. Ryan Louie, MD, Ph.D.] (Bricata) People that protect others have to be at their best, which is why mental health in cybersecurity is so important; this requires safety, openness, and leadership according to Dr. Ryan Louie, MD, Ph.D.

New study examines current state of grid cybersecurity efforts (Daily Energy Insider) A new study by the Vermont Law School’s Institute for Energy and the Environment lays out the challenges of protecting the electric grid from cyberattacks and provides some methods that may hold the keys to ...

Bitglass warns of escalating insider attacks (WhaTech) Bitglass, the Next-Gen CASB company, has cautioned that insider attacks are escalating and that a significant number of organisations are failing to monitor user behaviour across their cloud footprints.

Australian business cyber failings at 'crisis' levels: IBM (Australian Financial Review) Australian businesses can't find qualified people to fill cyber security roles, leaving them vulnerable to the growing threat of cyber criminals.

Marketplace

Air Force joins growing list of agencies paving a new cyber-approval path (Federal News Network) Air Force undersecretary and chief information officer Matt Donovan signed a memo March 22 detailing the new authority to operate (ATO) process that is about speed and rigor.

Huawei’s business is doing just fine, despite US security risk accusations (The Verge) Despite being portrayed as an asset for Chinese espionage, Huawei posted a strong quarter.

Kaspersky CEO: Open your source codes to win governments' trust (ZDNet) Governments harbouring security concerns about systems manufactured by foreign tech companies should ask these vendors to open up their source codes for inspection, just like technology players such as Huawei and Kaspersky have done for their customers, says Eugene Kaspersky.

Reskilling academy opens up new round of applications, as agencies seek more IT workforce investments (Federal News Network) The Cybersecurity Reskilling Academy is accepting applications for a second cohort of students, this time open to the entire federal workforce.

A second chance for feds to jump-start cyber careers (Fifth Domain) The Trump administration's new program for retraining current federal employees for cybersecurity positions is accepting new applicants.

FireEye Joins Retail and Hospitality ISAC as Associate Member (AP NEWS) The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) and FireEye, Inc. (NASDAQ: FEYE) today announced that the intelligence-led security company has joined the RH-ISAC as an Associate member.

Symantec joins DOD cyber threat-sharing group (FCW) The addition of Symantec, which already has a robust threat intelligence network in place, could help bolster the quality and sophistication of the information that flows through the program.

IOActive Partners with the Institute for Critical Infrastructure Technology (ICIT) to Drive Public and Private Sector Collaboration (IOActive) Partnership will facilitate focused research on cyber and public safety issues impacting critical infrastructure

Forcepoint unveils digital transformation acceleration strategy with new converged cyber security solutions and partner ecosystem (ITWeb) The Forcepoint Converged Security Platform delivers extensible and behaviour-based risk-adaptive protection.

Big Bitcoin Exchange Ends Bid to Lure High-Speed Traders (Wall Street Journal) Cryptocurrency exchange Coinbase is ending an ambitious effort to win over high-frequency traders, the latest sign that bitcoin companies are having trouble attracting mainstream financial players.

DataGrail Expands Executive Team with Key Sales Leadership Hire (PR Newswire) DataGrail, the first purpose-built privacy management platform to help companies comply with GDPR, CCPA and...

Former OCC Executives Join Varo Money (Varo Money) Varo leadership expands as it builds banking systems designed to enhance customer financial health.

She sold the Patriot Act to Congress. Her next job is defending Facebook. (Washington Post) Jennifer Newstead, described by a colleague as the "day-to-day manager" of the 2001 Patriot Act, was named Monday as Facebook's new general counsel.

Arete Advisors Adds Elite Incident Response and Forensic Investigators to its Cyber Response Team (BusinessWire) Arete Advisors adds four of the world's foremost incident response and forensic investigators to its elite cybersecurity team

Products, Services, and Solutions

ReFirm Labs Announces Spring 2019 Release of Centrifuge Platform Updates with UEFI Support, Launches Binwalk Pro (PRWeb) ReFirm Labs continues to advance its IoT and firmware security solutions that proactively vet, validate and continuously monitor the security of firmware that runs connected devices

Varonis Launches Certified Administrator Training and Elite Program to Support Customers Focused on Data-Centric Cybersecurity (West) Varonis Systems, Inc. (NASDAQ: VRNS), a pioneer in data security and analytics, launched two new programs to help its customers appreciate the power of Varonis’ solutions and use the platform to its fullest potential: the Varonis Certified Administrator Training Program and the Varonis Elite Program.

Bandura Cyber and Global Resilience Federation Partner to Meet Industry Demand for Automated Defense and Threat Intelligence Integration (BusinessWire) Bandura and GRF partnered to integrate automated intelligence feeds and gateway technology for the perimeter defense of GRF affiliated companies.

Light Point Security Wins the 2019 InfoSec Award for Browser Isolation (PR Newswire) Light Point Security, the award-winning pioneer of Browser Isolation, announced today that it has received the 2019...

Bay Dynamics and Carbon Black Integration Combines Powerful Analytics with EDR for Broader Coverage of Security Infrastructure and the Cloud (West) Integration empowers security teams to resolve threats across endpoints and the cloud

Device-Based Authentication Capabilities from Fiserv Enhance Both Cybersecurity and Customer Experience (MarketWatch) Fiserv, Inc. FISV, a leading global provider of financial services technology solutions, has launched capabilities that enable financial institutions to...

IoT device testing made possible with BeStorm X (SearchSecurity) Beyond Security and Ubiquitous AI Corporation designed BeStorm X specifically for IoT device testing. The vendors claim the black-box fuzzer can identify zero-day vulnerabilities and other weaknesses.

Team of boffins fights cyberattacks (Clarus Security) Edinburgh-based IT security consultancy, 7 Elements, has launched a unique new IT security solution that brings together enterprise-grade automated scanning software with expert human analysis to reduce the risk of corporate cyberattacks. Used by organisations to identify, highlight and manage vulnerabilities, ‘Clarus’ has been unveiled by 7 Elements as part of the UK Government’s flagship …

Technologies, Techniques, and Standards

How Aussie MSPs teach cybersecurity (CRN Australia) How do you ensure training sticks with the customer?

Is it Impossible to Securely Manage the Billions of ‘Things’ in the IoT Ecosystem? (GlobalPlatform) The standard for secure digital services and devices

Respect Is Key for Retaining Top Security Talent (SecurityWeek) There are no shortcuts and no easy fixes for retaining top security talent, but showing security talent that it is respected is important.

NOAA’s approach to Zero Trust is a ‘developing process’ (Federal News Network) NOAA’s broad spectrum of data formats across more than 90 business systems requires regular check on authorization and cyber health.

How to Solve the Blindspots of Event-Driven Detection (Comae Technologies) A while back, I discussed how memory could be used as an ultimate form of the log as long as the analysis workflow and process is smooth.

A CISO looking back, “Dear younger me…” (CISO MAG) I remembered decisions that I made that had a profound impact on my family or employees and decisions I passed on because I lacked experience or the confidence to see my path forward.

Design and Innovation

Google Moves Developers to OAuth to Help Prevent Phishing Attacks (Decipher) Google is planning to block sign-in attempts from embedded browser frameworks soon to help defeat some phishing attacks.

UK's NCSC Suggests Automatic Blocking of Common Passwords (SecurityWeek) The UK's National Cyber Security Centre (NCSC) believes that if defenders automatically block the most common passwords, then hacking will be made more difficult.

Why the government can’t lead IT innovation by itself (Federal Times) The federal government is no longer the monolith it once was for technology research and development.

Academia

Academy cadets take 1st place at NSA-sponsored cyber competition (United States Air Force Academy) Cadets at the Air Force Academy grabbed the top slot at the National Security Agency Cyber Exercise.

Legislation, Policy and Regulation

'No right to livestream murder': Ardern leads push against online terror content (Guardian) New Zealand PM launches ‘Christchurch Call’ to build support to eliminate extremist material on social media

Sri Lankan president shakes up defense forces, says attack warnings went unheeded (USA TODAY) Sri Lanka’s president has demanded that the defense secretary and national police chief resign after the Easter Sunday suicide bombings.

Don't Praise the Sri Lankan Government for Blocking Facebook (WIRED) Social media can provide vital information in a crisis, and there's evidence that blocking it does more harm than good.

Sri Lanka Shut Down Social Media. My First Thought Was ‘Good.’ (Quartz) As a tech journalist, I’m ashamed to admit it. But this is how bad the situation has gotten.

Iranian parliament labels entire US military as terrorists (Military Times) Iranian lawmakers on Tuesday overwhelmingly approved a bill that labels all U.S. military forces as terrorist, state TV reported, a day after Washington ratcheted up pressure on Tehran by announcing that no country would any longer be exempt from U.S. sanctions if it continues to buy Iranian oil.

Jack Dorsey just met with Trump to talk about the health of Twitter’s public discourse (TechCrunch) Twitter’s co-founder and CEO historically doesn’t have the most discerning tastes when it comes to who he decides to engage with. Fresh off the podcast circuit, today a thoroughly beardy Jack Dorsey sat down with President Trump for his most high-profile tête-à-tête yet. Unlike his rece…

Trump met with Twitter CEO Jack Dorsey — and complained about his follower count (Washington Post) President Trump met privately on Tuesday with Twitter CEO Jack Dorsey. The meeting comes as the president continues to accuse tech giants of exhibiting bias against conservative users.

Tim Cook calls for regulation of tech industry with ‘serious issues,’ says government encryption case was rigged (9to5Mac) Today at the TIME 100 Summit, Apple CEO Tim Cook opened the event with an interview with Nancy Gibbs. The conversation ranged from topics like corporate values, politics, privacy, encryption, regul…

ASD Essential Eight cybersecurity controls not essential: Canberra (ZDNet) The Australian government demonstrates its can't-do attitude to computering yet again. Requiring all agencies to follow the Australian Signals Directorate's 'best advice' is just too hard.

Analysis | The Cybersecurity 202: DHS is pushing cybersecurity support to presidential campaigns (Washington Post) It's one of the agency's top election security goals.

[Letter to Google's CEO] (US House of Representatives Committee on Energy and Commerce) Dear Mr. Pichai: We are writing in response to concerning reports about a massive database of precise location information on hundreds of millions of consumers known inside Google as "Sensorvalt."

International intelligence agencies share stage at cyber summit in Glasgow (FutureScot) Members of the so-called 'Five Eyes' intelligence alliance to discuss cyber resilience

Huawei will help build Britain’s 5G network, despite security concerns (The Verge) Experts and policymakers are wary of letting China get involved in domestic infrastructure

British PM approves Huawei role in 5G network: report (AFP) British Prime Minister Theresa May has given the go-ahead for China's Huawei to help build a 5G network, shrugging off security warnings from senior ministers and Washington, the Daily Telegraph reported Wednesday.

Could Huawei threaten the Five Eyes? (BBC News) Different views about the threat posed by the Chinese firm pose risks to the intelligence alliance.

Czech president to meet Huawei boss in China on mission to boost ties (Reuters) Czech President Milos Zeman will meet Huawei Chief Executive Ren Zhengfei when h...

Australia’s Huawei ban raises difficult questions for the WTO (East Asia Forum) Authors: Tania Voon and Andrew Mitchell, University of Melbourne At a World Trade Organization (WTO) meeting of the Goods Council in Geneva on 12 April 2019, China expressed concerns about Australi…

Government, business should guard Internet together: British intelligence chief (Reuters) The head of Britain's GCHQ spy agency on Wednesday will call on businesses ...

Competition with China requires new technology transfer rules for US allies and Silicon Valley (Defense News) The time has come for new defense export reforms, says a former Pentagon official and key staffer for Sen. John McCain.

Build A ‘Five Eyes’ For Military Tech Sharing: Greenwalt (Breaking Defense) As the US and its allies scramble to stay ahead of China and Russia, a bold proposal for a massive revamp of tech sharing emerges.

Leveraging the National Technology Industrial Base to Address Great-Power Competition (Atlantic Council) Read the Publication (PDF) In US law, the National Technology and Industrial Base (NTIB) comprises the industrial bases of the United States and three of its closest historical allies, Australia, Canada, and the United Kingdom. Canada was included...

EU votes to create gigantic biometrics database (ZDNet) EU Parliament green-lights the creation of the Common Identity Repository (CIR), a gigantic biometrics database.

Top Cyber Diplomat Says U.S. Needs Allies’ Help to Punish Cyberattacks (Nextgov) Creating a unified international response around online attacks will help “establish the legitimacy” of norms for cyberspace, says Rob Strayer.

Deterring Russian Aggression in the Baltic States (RAND) Estonia, Latvia, and Lithuania are vulnerable to low-level, hybrid, and full-scale attacks by Russian forces. Which unconventional strategies could they use to deter aggression and buy time for conventional military responses? And how can NATO allies help develop and fund these efforts?

How Russian motorcycle gangs, fake news and cyber attacks could threaten NATO, and how US forces can help (Military Times) Hypothetical: A Russian motorcycle gang rolls up to an Estonian border outpost and begins to harass the guards. Are they a drunken band of miscreants, or state-sponsored interlopers?

Cybersecurity: Changing the Model (Atlantic Council) Read the Publication (PDF) The current model of cybersecurity is outdated. Adversaries continue to grow more sophisticated and outpace advancements in defense technologies, processes, and education. As nation states enter into a new period of great...

Pentagon’s ‘Rebel Alliance’ gets new leadership (C4ISRNET) The changeover of leadership occurs as the current Defense Digital Service director and founder is about to see his term at the agency expire.

Litigation, Investigation, and Enforcement

Death toll from Sri Lanka bombing attacks rises to 359: police (Reuters) The death toll from the Easter Sunday suicide bombing attacks on churches and ho...

Sri Lanka 'bombing mastermind' named as Moulvi Zahran Hashim (The Telegraph) Sri Lankan intelligence has named the mastermind behind the Easter Sunday attacks as Moulvi Zahran Hashim, an extremist local cleric who incited his followers to violence with fiery sermons on his social media channels.

Pointing a Finger at a Terrorist Group in the Aftermath of the Sri Lanka Blasts (New York Times) Officials could not explain why a warning about a militant Islamist organization planning suicide bombings failed to stop the assaults, which killed more than 300 people.

Radical Islamic cleric named as Sri Lanka bombings mastermind (New York Post) A radical Islamic cleric who uses the burning Twin Towers as a backdrop to fiery online sermons has been named the mastermind behind the devastating Sri Lanka terror attacks, it was claimed Tuesday…

Sri Lanka detains new suspects amid frantic hunt for bombers (AFP) A Sri Lankan security dragnet hunting those responsible for horrifying bombings that claimed more than 350 lives has scooped up a further 18 suspects,

Pressure builds on Sri Lankan officials as Isis claims Easter attacks (the Guardian) Bombings that killed more than 320 people have hallmarks of Isis, say security experts

Sri Lanka blasts (DAWN.COM) EVEN in times like these when mass-casualty attacks have become frighteningly common, Sunday’s bloodbath in Sri...

Sri Lankan authorities knew names of terrorists weeks before bombings (New York Post) Sri Lankan authorities were warned more than two weeks before the devastating attacks that killed at least 290 — and even had names of suspects, officials admitted Monday. “Fourteen days before the…

Sri Lanka's Perfect Storm of Failure (Foreign Policy) There were many chances to stop the Easter Sunday attacks. The government missed them all.

FBI: Losses From BEC Scams Almost Doubled Last Year (Threatpost) Overall, in 2018 the FBI received more than 351k reported scams with losses exceeding $2.7 billion.

Inspector general: FBI didn’t fully explore whether it could hack a terrorist’s iPhone before asking court to order Apple to unlock it (Washington Post) A new report raises questions about the FBI and Justice Department’s approach to policy in facing the challenge of gaining access to suspects’ encrypted devices.

Apple CEO says FBI's 2016 case about San Bernadino shooter's locked iPhone was 'very rigged' (CNBC) Apple's CEO is still upset about a court battle with the FBI from 2016 following the San Bernadino terrorist attack.

U.S. charges American engineer, Chinese businessman with stealing GE’s trade secrets (Washington Post) The Justice Department’s indictment links the alleged theft to China’s global commercial ambitions.

Safe KC: Inside the Western Missouri Cyber Crimes Task Force (KSHB) In one year, the Western Missouri Cyber Crimes Task Force usually receives about 400 tips. In the first four months of 2019, it has opened nearly 300 cases.

Bring your own context.