The CyberWire Daily Briefing, 1.28.20

Cyber Attacks, Threats, and Vulnerabilities

Stopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator - The Citizen Lab (The Citizen Lab) New York Times journalist Ben Hubbard was targeted with NSO Group’s Pegasus spyware via a June 2018 SMS message promising details about “Ben Hubbard and the story of the Saudi Royal Family.” The SMS contained a hyperlink to a website used by a Pegasus operator that we call KINGDOM. We have linked KINGDOM to Saudi Arabia. In 2018, KINGDOM also targeted Saudi dissidents including Omar Abdulaziz, Ghanem al-Masarir, and Yahya Assiri, as well as a staff member at Amnesty International.

FBI Releases Alert on Iranian Hackers' Defacement Techniques (BleepingComputer) The FBI Cyber Division issued a flash security alert earlier this month with additional indicators of compromise from recent defacement attacks operated by Iranian threat actors and info on attackers' TTPs to help administrators and users to protect their websites.

Leaked Documents Expose the Secretive Market for Your Web Browsing Data (Vice) An Avast antivirus subsidiary sells 'Every search. Every click. Every buy. On every site.' Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.

Avast subsidiary Jumpshot sells every click on antivirus users' PCs (Computing) Avast is embroiled in new claims that it spies on users and sells their web browsing data

Antivirus software maker Avast is reportedly selling its users' web data (CNET) Sensitive browsing data is repackaged and sold by a subsidiary called Jumpshot, according to a Motherboard and PCMag investigation.

Report: Avast and AVG collect and sell your personal info via their free antivirus programs (PCWorld) The report alleges that Avast and AVG are collecting personal information and sending it to Jumpshot, a subsidiary that provides information on every "search, click and buy" you make to corporate clients.

The average ransom demand for a REvil ransomware infection is a whopping $260,000 (ZDNet) Security researchers sinkhole the REvil ransomware servers and gain an insight into the operation of today's biggest ransomware gang.

Tracking REvil (KPN) After the message GandCrab quit, a hole was left in the scene. It was time for a new contender. In the last few months REvil/Sodinokibi seems to have filled that gap. There already have been multiple blogs describing the similarities between GandCrab and REvil affiliates. We’ll stay clear of the similarities in this blog and focus on the usage statistics of the ransomware family by looking at samples, infection rates and ransom demands.

A new piece of Ryuk Stealer targets government, military and finance sectors (Security Affairs) A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking. Security experts from MalwareHunterTeam have discovered a new version of the Ryuk Stealer malware that has been enhanced to allow its operators to steal a greater amount of confidential files related to […]

SIM Swappers Are Phishing Telecom Company Employees to Access Internal Tools (Vice) SIM swappers are particularly interested in a tool called Omni from Verizon that allows hackers to take over phone numbers.

Zoom-Zoom: We Are Watching You (Check Point Research) Alexander Chailytko Cyber Security, Research & Innovation Manager In this publication we describe a technique which would have allowed a threat actor to potentially identify and join active meetings. All the details discussed in this publication were responsibly disclosed to Zoom Video Communications, Inc. In response, Zoom introduced a number of mitigations, so this attack... Click to Read More

Citrix Flaw Exploited by Ransomware Attackers (Infosecurity Magazine) German car parts maker among the victims

Gedia Automotive hit by “massive cyber-attack” (Automotive Logistics) Gedia Automotive Group has been the victim of a cyber-attack by a gang using ransomware known as Sodinokibi...

RCE Exploit for Windows RDP Gateway Demoed by Researcher (BleepingComputer) A remote code execution (RCE) exploit for Windows Remote Desktop Gateway (RD Gateway) was demoed by InfoGuard AG penetration tester Luca Marcelli, after a proof-of-concept denial of service exploit was released by Danish security researcher Ollypwn on Friday for the same pair of flaws.

Assessing the Dangers Caused by Cryptojacking (Security Boulevard) Cryptojacking, also known as crypto mining, is an online threat hidden on a computer or a mobile device, using its resources to mine for cryptocurrencies.

Loophole closed, service members’ medical images no longer accessible online (Military Times) Some troops' sensitive medical information can no longer be found online, according to Virginia Sen. Mark Warner.

Twitter accounts of NFL, Packers, Chiefs appear to have been hacked (USA TODAY) Twitter accounts belonging to the NFL and multiple teams all posted messages Monday claiming that "everything is hackable."

Contra Costa County Cyber Attack Has Officials On Alert Ahead of Elections (NBC Bay Area) A recent cyber attack in Contra Costa County libraries has officials looking closely at how to keep the upcoming elections safe.

Vulnerability Summary for the Week of January 20, 2020 (CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Security Patches, Mitigations, and Software Updates

Intel Is Patching the Patch for the Patch for Its ‘Zombieload’ Flaw (Wired) Intel's made two attempts to fix the microprocessor vulnerability it was warned about 18 months ago. Third time’s the charm?

Intel to release more patches for 'Zombieload' vulnerabilities affecting its processors (Computing) Security researchers criticise Intel for its piecemeal approach towards micro-architectural data sampling flaws

Starting the Decade by Giving You More Control Over Your Privacy (About Facebook) We're sharing some of the work we’ve been doing to give you more control over your privacy on and off Facebook.

Tinder to get panic button, catfish-fighting facial recognition (Naked Security) It’s both a genius move to protect from assault and fraud and a personal data grab.

Cyber Trends

Is Business Ready for an Extinction-level Event? Deloitte Poll Reports Destructive Cyberattacks as Top Cyber Risk (PR Newswire) Key takeaways In an era of technological transformation and cyber everywhere, the attack surface is exponentially growing as cyber criminals...

Okta Businesses @ Work 2020 | Technology Industry Trend Report (Okta) An in-depth look into how organizations and people work today — exploring workforces and customers, and the applications and services they use to be productive.

Americans want stronger privacy over easier access to health data (HOTforSecurity) In a welcome mentality shift, Americans are starting to put their privacy first and convenience second when it comes to their health data, according to a study by America’s Health Insurance Plans (AHIP). Most surveys asking people about their experience... #health #healthdata #healthrecord

Data Privacy Day: Gaining and maintaining trust is key for data defenders (SC Magazine) Building & ensuring trust are recurrent themes from our commentators, which also include education, awareness, going beyond compliance, implementing best practice, & a host of other concerns.

Privacy Complacency: The Hidden Dangers Lurking Beneath Today’s Surface-Level Data Protection (ProPrivacy.com) For Data Privacy Day 2020, we're launching our brand new eBook on privacy complacency. Have you taken steps to secure your data online? How do you know what you're doing is effective? This new data report delves into our behavior when it comes to protecting our data and suggests solutions to protect the digital privacy of you and your family today.

What happens in cyberspace does not stay in cyberspace (The International News) We live in an era of transformation, witnessing the process of digitisation rapidly taking place in every possible sector across the globe. The development in telecommunication industry and the growing digital space has opened new avenues to...

McAfee Report Demonstrates That Data Is Widely Dispersed in the Cloud Beyond Most Enterprise Control (BusinessWire) McAfee, the device-to-cloud cybersecurity company, today released a new research study titled Enterprise Supernova: The Data Dispersion Cloud Adoption

IoT Trouble: The Sonos Example — And More (Medium) The everything-computerized-and-always-connected smarthome is a work in progress. This slow pace is a good thing because it gives us time to consider new technical and societal challenges.

The real reason tech companies want regulation (Exponential View) Clarence isn’t from the 313.

Security tools still among the fastest-growing apps in corporate America (CyberScoop) More of the tools used throughout the private sector are ones that help company staffers better manage or prevent security incidents.

Bernie Sanders and His Internet Army (New York Times) At the start of his 2020 bid, the Vermont senator told his supporters that he condemned bullying. Is it his problem if many don’t seem to listen?

Marketplace

An Industry Perspective on Closing the Cyber Workforce Gap (SIGNAL Magazine) Unfortunately, this is not a problem that is getting smaller, says Ryan Bagby, senior program manager, Cybersecurity Special Missions, Raytheon Intelligence, Information & Services.

AppOmni Raises $10 Million in Series A Funding Led by ClearSky (BusinessWire) AppOmni announces $10 million Series A funding round

Is This Acquisition One Too Many, Even For Accenture? (Seeking Alpha) Accenture’s strategy has been predicated on creating a technology platform to supplement and further the delivery of its services. Accenture has been steadily a

Products, Services, and Solutions

F Secure Oyj : Highly positive response to F-Secure ID PROTECTION signals strong demand in the operator channel (MarketScreener) Cyber security provider F-Secure has begun to roll out F-Secure ID PROTECTION and five operator partners around the world have already signed up...

AI-Hunter v3.6.1 Is in the Wild! - Active Countermeasures (Active Countermeasures) AI-Hunter 3.6.1 is out! This release is focused on fixes and smaller features. We hope you’ll give it a try! New Features …

Datadobi Eases NAS Migrations with New DIY Starter Pack (Yahoo) Datadobi, the global leader in unstructured data migration software, is making its purpose-built NAS migration technology – already in use by hundreds of the world’s largest organizations for the biggest, most complex projects – available to companies of all sizes via a Starter Pack. The channel-ready

Corelight Announces Full Support for Elastic Common Schema for Simplified Search and Analytics Capabilities (PR Newswire) Corelight, provider of the most powerful network traffic analysis (NTA) solutions for cybersecurity, today reinforced its support for the...

Technologies, Techniques, and Standards

Federal agency offers guidelines for businesses defending against ransomware attacks (TheHill) The National Institute of Standards and Technology (NIST) published draft guidelines Monday providing businesses with ways to defend against debilitating ransomware attacks.

Facebook, Google and Twitter scramble to stop misinformation about coronavirus (Washington Post) Major social-media sites already are rushing to prevent pervasive conspiracy theories about the illness, including a hoax that wrongly claims U.S. government officials secretly created the disease in a lab.

US Space Industry to Launch Cybersecurity Portal (Infosecurity Magazine) Space ISAC cybersecurity information-sharing portal planned for spring 2020

Protector Of N.H. Primary Claims 'You Can't Hack This Pencil,' But Worries Persist (NPR.org) Some worry that New Hampshire Secretary of State Bill Gardner's office was too slow to acknowledge the scale of the election security problem and focused on addressing the wrong challenges.

One Small Fix Would Curb Stingray Surveillance (Wired) The technology needed to limit stingrays is clear—but good luck getting telecoms on board.

Can PAM Coexist with the Zero Trust Security Model? Yes says Thycotic (American Security Today) By Joseph Carson, Chief Security Scientist (CSS) & Advisory CISO at Thycotic What is the Zero Trust security model and why was it introduced? The concept of Zero Trust security isn’t new; the term was coined by Forrester back in 2010 and was initially synonymous with a network security approach known as micro-segmentation. Micro-segmentation is …

How to catch cyberattackers with traditional military deception (Army Technology) Tony Cole, CTO of Attivo Networks, NASA Advisory Council member and (ISC) ² board member, tells Harry Lye how traditional military deception techniques can be adapted for the digital domain to combat cybersecurity threats.

OT cyber monitoring is not sufficient to identify many significant control system cyber incidents (Control Global) A major news organization contacted me about my control system cyber incident database. I have been very clear the database is not public but I could provide sanitized information. Until now, that was not sufficient to get media interest as they wanted names.

How to detect and prevent issues with vulnerable LoRaWAN networks (Help Net Security) IOActive researchers found that a great number of vulnerable LoRaWAN networks, and have released the free LoRaWAN Auditing Framework.

What You Should Actually Learn From a Pentest Report (Black Hills Information Security) So you’ve been pentested. Congrats! It might not feel like it, but this will eventually leave you more confident about your security, not less. The real question is – why might it not feel like it? Pentest findings can be broken down many ways, of course – the obvious one …

How To Replay RF Signals Using SDR (Black Hills Information Security) RF Signal Replay Techniques Disclaimer: Be sure to use a faraday bag or cage before transmitting any data so you don’t accidentally break any laws by illegally transmitting on regulated frequencies. Additionally, intercepting and decrypting someone else’s data is illegal, so be careful when researching your traffic. Preface: Recently, …

Exercise Crossed Swords 2020 Reached New Levels of Multinational and Interdisciplinary Cooperation (CCDCOE) The 6th iteration of the annual cyber exercise Crossed Swords in Riga, Latvia, brought together more than 120 technical experts, Cyber Commands´ members, Special Forces operators and military police.

Cyber defense game brings together security experts, special forces and more as military prepares for warfare 2.0 (ZDNet) The Crossed Swords exercise got security professionals across the world to leverage cyberattacks to protect national interests.

More countries participate in NATO’s cyber exercise (Fifth Domain) NATO officials said they reached new levels of cooperation during the organization’s annual cyber exercise.

This Is What Hacking an iPhone Actually Looks Like + Hidden Details (iDrop News) If you’ve ever wondered what hacking an iPhone looks like, a forensic analyst has posted an image to Reddit that gives you a peek behind the curtain.

Design and Innovation

Google to redesign its redesign after criticism it made adverts blend-in with organic search results (Computing) Google to experiment with its desktop search website following criticism over its redesign

Avast Explains Cybersecurity AI at Enigma Conference (Avast) Find out from researcher Sadia Afroz how Avast uses a huge data set to quickly update new models, providing crucial, up-to-the-second protection.

Legislation, Policy and Regulation

As Virus Spreads, Anger Floods Chinese Social Media (New York Times) The sheer volume of criticism of the government, and the sometimes clever ways that critics dodge censors, are testing Beijing’s ability to control the narrative.

Ukrainian Plane Tragedy Challenges Tehran's Narrative Of 1988 U.S. Shoot-Down Of Iranian Airliner (RadioFreeEurope/RadioLiberty) The January 8 downing of a Ukrainian passenger plane by Iran has led some to recall the 1988 U.S. shoot-down of an Iranian commercial aircraft, which Tehran has frequently used in the past 30 years to blast Washington. Analysts say the recent tragedy undermines the clerical establishment's use of the 1988 downing of Iran Air Flight 655 as propaganda against the United States.

Saudi Arabia outsources cyber arsenal, buys spyware, experts say (Alton Telegraph) If it turns out that Saudi Arabia hacked into the phone of Amazon.com Chief Executive Officer Jeff Bezos, as investigators have alleged, the oil rich nation likely utilized its preferred method of cyber espionage: outsourcing.

Huawei granted 'limited' role in UK 5G and fibre network roll-outs (Computing) Government decision to allow Huawei to supply non-core 5G equipment likely to please no-one

UK decision on Huawei's participation in 5G networks due today (Computing) Prime Minister Boris Johnson under pressure from both sides over inclusion of Huawei in the UK's 5G networks

Boris Johnson hints at compromise over Huawei and 5G (the Guardian) PM says solution will allow technological progress but not jeopardise US relationship

As Britain decides, Europe grapples with Huawei conundrum (Reuters) Britain's decision on whether to allow Huawei to supply equipment for 5G mo...

Key Republicans seek ban on intel sharing with countries that use Huawei (C4ISRNET) The legislation could potentially downgrade America’s “special relationship” with the U.K., which is reportedly expected to grant Chinese telecom giant Huawei some access to its nascent 5G network.

Analysis | The Cybersecurity 202: Mike Rogers, former Republican House Intel chief, blasts Congress for not taking action on Huawei (Washington Post) His old panel is “just broken" amid partisan warfare, Rogers says.

The Right Way to Deal With Huawei (Foreign Affairs) The United States needs to compete with Chinese firms, not just ban them.

US Rolls Out New Bill to Reform NSA Surveillance (Infosecurity Magazine) New US bill could end mass surveillance of phone records by the NSA

Senator Warner Says FTC Not Doing Enough on Sale of Browsing Data (Vice) Warner's comments come after a Motherboard and PCMag investigation found antivirus Avast selling browsing data to Home Depot, Google, and other companies.

Union Leader Says Utilities Not Incentivized to Report Cyber Incidents or Implement Protections (Nextgov.com) FERC’s recently “expanded” reporting requirements leave it up to entities to decide on qualifying events.

NY State Senate Bill Would Ban Police Use of Facial Recognition Technology (New York Law Journal) The bill would also create a task force to examine how to regulate biometric technology in the future, with seats reserved for the state police and the New York City Police Department, among other agencies.

Litigation, Investigation, and Enforcement

The Jeff Bezos Hack Shows Vulnerability Beyond Tech (Washington Post) The innocuous-looking video file believed to have been used to hack Jeff Bezos’s smartphone says a lot about the technological sophistication of today’s spyware.

Instagram CEO’s homes were targetted by SWATters (Naked Security) Instagram CEO Adam Mosseri’s houses were surrounded by SWAT teams after hoax phone calls claimed hostages were being held there.

People Are Calling SWAT Teams to Tech Executives’ Homes (New York Times) Online forums carry personal details of potential targets like industry leaders and their families. The police are struggling to find a solution.

Cardplanet mastermind pleads guilty to credit card fraud (Naked Security) Cardplanet offered refunds on invalid card data, along with a card checking service that ensured a stolen card was still valid.

Magecart gang arrested in Indonesia (ZDNet) First-ever arrest of a Magecart hacker gang.

VMware hit with $236M verdict in patent suit, says it plans to 'vigorously' fight ruling (Silicon Valley Business Journal) The $60 billion software company said it plans to fight the verdict.

Reichman Jorgensen Secures $236 Million Patent Infringement Verdict for Densify Against VMware (Yahoo) Reichman Jorgensen LLP has secured a $236 million patent infringement verdict on behalf of Densify against tech giant VMware, Inc.

US appeals court rejects Tennessee election security lawsuit (AP NEWS) MEMPHIS, Teen. (AP) — A federal appeals court has sided with a lower court in rejecting a lawsuit that challenges the security of voting machines in Tennessee's largest county. A...

Bring your own context.

Coming soon: CyberWire Pro.