The CyberWire Daily Briefing, 1.30.20

Cyber Attacks, Threats, and Vulnerabilities

Three United Nations offices hacked (Computing) Three UN agencies pwned, 22 administrative-level accounts compromised and malware implanted on 40 servers

Leaked report shows United Nations suffered hack (AP NEWS) Sophisticated hackers infiltrated U.N. networks in Geneva and Vienna last year in an apparent espionage operation that top officials at the world body kept largely quiet. The...

EXCLUSIVE: The cyber attack the UN tried to keep under wraps (The New Humanitarian) The UN is under no legal obligation to report such breaches, but data protection advocates say the lack of transparency carries grave risks.

Israel says it thwarted serious cyber attack on power station (Reuters) Israel foiled a major cyber attack on one of its power stations a few months ago...

Energy minister: Israel stopped 'serious' cyber attack on power plant (The Jerusalem Post) Energy Minister Yuval Steinitz said the attempted attack was detected "a few months ago."

The greatest risk to national security you’ve never heard of (C4ISRNET) History has taught us the negative outcomes of vulnerable undersea cables. But the United States doesn't have to be so vulnerable.

Russian trolls and bots are successful because we know they exist (Quartz) You shouldn't assume that "anyone who has a weird username is a Russian agent."

Maze ransomware group threatens to post data from victims who refuse to pay-up (Computing) Twenty-five alleged victims - many of them previously unknown - listed on Maze's website

Fraud spike prompts Chrome developer lock-out (Naked Security) Google Chrome extension developers have been left high and dry for weeks as the company struggles to cope with a spike in fraud on the Chrome Web Store.

Frenchy – Shellcode in the Wild (Zscaler) ThreatLabZ has observed a number of AutoIt and .NET samples from different malware families using what is being called Frenchy shellcode.

FBI Warns of Rise in Social Security Scams Spoofing Its Phone Number (BleepingComputer) The U.S. Federal Bureau of Investigation (FBI) on Tuesday has issued a warning about a spike in its phone number being used for Social Security fraud.

Sprint Exposed Customer Support Site to Web (KrebsOnSecurity) Fresh on the heels of a disclosure that Microsoft Corp. leaked internal customer support data to the Internet, mobile provider Sprint has addressed a mix-up in which posts to a private customer support community were exposed to the Web.

Hackers infiltrated a big Facebook data partner to launch scams (CNET) Marketing giant LiveRamp has privileged access to advertising accounts on the social network. Hackers took notice.

Malware Tries to Trump Security Software With POTUS Impeachment (BleepingComputer) The TrickBot malware has been spotted using text from articles about President Trump's impeachment to bypass the scanning engines of security software.

Emotet Uses Coronavirus Scare to Infect Japanese Targets (BleepingComputer) A malspam campaign is actively distributing Emotet payloads via emails that warn the targets of Coronavirus infection reports in various prefectures from Japan, including Gifu, Osaka, and Tottori.

Indian airline SpiceJet confirms breach of 1.2 million passenger details (TechCrunch) SpiceJet, one of India’s largest privately owned airlines, has confirmed a data breach involving the details of over a million of its passengers. The security researcher, who described their actions as “ethical hacking” but whom we are not naming as they likely ran afoul of U.S. compute…

LabCorp Exposes Thousands Of Medical Documents - Commentary (Information Security Buzz) A vulnerability in LabCorp’s website that hosts the company’s internal customer relationship management system, exposed thousands (at least 10,000) of medical documents that contained names, dates of birth, Social Security numbers of patients, lab test results and diagnostic data. While the system was password-protected, the part of the website that pulls patient files from the …

Anatomy of a “free” gift – how online surveys can harm your digital health (Naked Security) Just how much will that £1000 “free” gift card cost? We took a look so you don’t have to…

Cyber-Attack on US Water Company Causes Network Outage (Infosecurity Magazine) 500,000 customers affected by cyber-attack on Greenville Water

15 NFL teams’ Twitter hijacked in lead-up to the Super Bowl (Naked Security) “We are here to show people that everything is hackable,” says hacking group OurMine, back to spread its unwelcome spiel on hacked accounts.

Amazon Engineer: 'Ring should be shut down immediately and not brought back' (The Next Web) An Amazon software engineer named Max Eliaser is calling for the shutdown of Ring, the doorbell camera company Amazon paid $2 billion for in 2018. Hundreds of Amazon employees recently banded together to form Amazon Employees for Climate Justice, an organization dedicated to holding the company’s feet to the fire when it comes to taking …

Security Patches, Mitigations, and Software Updates

Microsoft issues second 'final' Windows 7 update (BBC News) The end of support for the ageing operating system turns out to be not quite the end.

Apple patches critical bugs on iPhone and Mac – update now! (Naked Security) Get them now before the crooks figure out what to do with the holes.

Apple security updates (Apple Support) This document lists security updates for Apple software.

Google Continues to Prod Holes in Apple's Security (Computer Business Review) Apple has released a wide range of critical security updates – and it can thank Google for over a third of them. Apple CVEs include a Bluetooth bug that...

Intel promises fix after researchers reveal ‘CacheOut’ CPU flaws (Naked Security) Forget the infamous Meltdown and Spectre chip flaws from 2018, the problem that’s tying down Intel’s patching team these days is a more recent class of side channel vulnerabilities known collective…

OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability (Posted by Qualys) Qualys has found a critical vulnerability leading to a possible privilege escalation.

Cyber Trends

5 Security Trends and Predictions to Watch in 2020 (Bricata) A look at 5 security trends that could dominate the 2020 cybersecurity landscape.

Cost of Insider Threats: Global study 2020 (IBM) Ponemon Institute is pleased to present the findings of the 2020 Cost of Insider Threats: Global study. Sponsored by ObserveIT and IBM, this is the third benchmark study conducted to understand the direct and indirect costs that result from insider threats.

New 2020 Ponemon Institute Study: Frequency and Cost of Insider Threats Have Spiked Dramatically in Last Two Years (Proofpoint US) According to a new study from Ponemon Institute, sponsored by ObserveIT and IBM, the frequency of insider threats has risen by 47% in only two years. Insider threats cost organizations 31% more than they did in 2018.

93% of Mobile Transactions Blocked as Fraudulent in 2019 Says New Report on Mobile Ad Fraud by Upstream (AFP) 93 percent of total mobile transactions in 20 countries were blocked as fraudulent in 2019 according to a report on the state of malware and mobile ad fraud released today by mobile technology company, Upstream.

The invisible digital threat | Mobile Ad Fraud 2019 Report (Upstream) The report exposes the workings of mobile ad fraud and its connection to malware, explaining how malicious mobile apps operate, their major forms and the state of malware in numbers, as captured by Secure-D

Marketplace

Almost $10B Invested In Privacy And Security Companies In 2019 (Crunchbase News) Close to $10 billion was invested in privacy and security companies in 2019, an all time high in the last decade up more than five-fold from $1.7 billion in 2010.

There’s a ‘sovereignty movement’ in tech, with big consequences (Defense News) For the last few years the Pentagon and technology community have muddled through efforts to improve cooperation, eliminating barriers to entry.

Avast Antivirus Is Shutting Down Its Data Collection Arm, Effective Immediately (Vice) Avast will no longer collect or sell its users' internet browsing data and will "wind down Jumpshot's operations, with immediate effect."

To all our valued stakeholders – customers, partners, employees and investors, (Avast) I’d like to take this opportunity and address the situation regarding Avast’s sale of user data through its subsidiary Jumpshot.

The security and privacy of our users worldwide is Avast’s priority (Avast) In recent days media outlets have reported on Avast and our subsidiary Jumpshot.

Is It Time to Stop Using Avast Antivirus Software? (Consumer Reports) Avast, maker of Avast antivirus software, has been sharing personal info with a subsidiary that sells its analysis to other companies. Consumer Reports tells you how to limit the impact of the company's data collection practices.

How just five companies came to dominate the world’s 5G networks (The Telegraph) How do you solve a problem like Huawei?

Saudi-backed spyware group denies role in Jeff Bezos hack and says it plans to restructure ownership (The Telegraph) A spyware company named in connection with the alleged Saudi hacking of Jeff Bezos's phone has denied any involvement in the operation and said it plans to distance itself from the Gulf kingdom.

Microsoft Posts Record Sales as Cloud Business Continues to Grow (Wall Street Journal) Microsoft’s intelligent cloud unit, which includes its Azure cloud services, had sales of $11.87 billion, up 27% from the year-ago period.

Facebook Reports Revenue Growth, Rising Expenses (Wall Street Journal) The social-media giant reported a growing base of users and increasing quarterly revenue, capping a year of reliable strength in its core advertising business even as expenses climbed.

Amazon clobbered after a miss on the bottom line and soft guidance (CNBC) Amazon's third-quarter earnings fell short of street expectations, driving its stock down as much as 9% in after-hours trading.

AppOmni Raises $10 Million in Series a Funding Led by ClearSky (AiThority) AppOmni, provider of a SaaS security and management platform, announced that it has raised $10 million in Series A funding led by ClearSky.

Concentric raises $7.5 million to identify and protect sensitive enterprise data with AI (VentureBeat) Concentric uses AI and machine learning technologies to spotlight business-critical data at risk of falling into the wrong hands.

SCVX stages $200 million IPO to acquire cybersecurity firms (VentureBeat) SCVX is going public today through what has been called a "blank check IPO," where investors put money into a shell company to buy other companies.

Why Cellebrite Is Buying BlackBag Technologies For $33 Million (Pulse 2.0) Cellebrite, a company that develops software that unlocks and extracts data from mobile devices, recently announced it is buying BlackBag for $33 million.

NYC names winners of small-business cybersecurity challenge (StateScoop) The winners of NYC’s latest competition are developing cybersecurity solutions — like phishing and end-point protection — for small businesses in the city.

Appsian Announces Record Customer Growth in ERP Data Security for SAP and PeopleSoft (BusinessGhana) Appsian Announces Record Customer Growth in ERP Data Security for SAP and PeopleSoft With this continued momentum, Appsian’s position as an...

Team Cymru Enters Latin America with EdgeUno to Accelerate Delivery of Threat Intelligence (Globe Newswire) Team Cymru expands its global footprint to deliver efficiencies in internet security monitoring to its clients.

ManTech adds former NSA exec (Washington Technology) ManTech International brings on board a just-retired executive from the National Security Agency to the company's leadership team.

Caldwell Places Chief Marketing Officer at Recorded Future (Hunt Scanlon Media) As business becomes more global and complex, and power shifts from producers of goods and services to consumers, the chief marketing officer’s job of planning and coordinating marketing activities has become more challenging — and much more influential. Mercedes Chatfield-Taylor, managing partner of the private equity and venture capital practice at Caldwell, recently placed former Acquia executive Tom

Ex-Twitter CISO, Mike Convertino, joins Arceo and leads a CISO Revolution (PR Newswire) Mike Convertino, the former CISO of Twitter, Crowdstrike and F5 Networks as well as CTO of the Security Product Group at F5, has joined Arceo...

Bricata Names John Becker Executive Chair of its Board of Directors (Bricata) Seasoned Executive and Former Sourcefire CEO Brings More than 30 Years of Technology and Business Experience to the Fast-Growing Network Security Startup.

VMware's chief customer officer, 4 direct reports to leave company in restructuring (Silicon Valley Business Journal) The executive departures accompany a round of layoffs affecting employees in the Bay Area and other offices.

Products, Services, and Solutions

FIME boosts biometrics services with FIDO Alliance accreditation (FIME) FIME has been accredited to test biometric components in line with FIDO Alliance’s Biometric Component Certification Program. The accreditation enables device manufacturers and solution providers to ensure the quality and performance of biometric authentication solutions including fingerprint, facial, voice, and iris recognition.

nCipher Introduces Cloud-first Architecture, Bringing Security and Control to Public and Private Clouds (BusinessWire) nCipher Security, an Entrust Datacard company and provider of trust, integrity and control for business critical information and applications, announc

Arceo.ai Helps CISO's Better Manage Risk through Smart Forecasting (PR Newswire) Today's CISO is expected to look beyond the traditional technical approach to comprehensively address risk across their organization....

UJET Furthers its Commitment to Securing its Customers Through its Latest Data Protection and Privacy Certifications (BusinessWire) UJET today announced the completion of its latest round of data protection and privacy certifications.

Qohash launches its first commercial data security solution, aimed at protecting financial institutions (PR Newswire) Qohash today announces the launch of its first data security solution to help financial institutions protect their sensitive data. With a focus...

Fusion Risk Management Launches Fusion Connector for Everbridge Risk Intelligence (BusinessWire) Fusion Risk Management, Inc. (“Fusion”), a leading provider of business continuity and risk management software and services, announced today the laun

Idex Biometrics and Thales achieves certifications for smart cards, mobile ID security software (Biometric Update) Idex Biometrics has successfully completed the EMVCo Security Evaluation for its development site in Farnborough, U.K., making a landmark achievement as it is planning a large-scale production of b…

New 'I Got Phished' Service Alerts Companies of Phished Employees (BleepingComputer) A new service called 'I Got Phished' has launched that will alert domain and security administrators when an employee in their organization falls for a phishing attack.

DigiCert Modernizes PKI with the Release of IoT Device Manager and Enterprise PKI Manager, New Offerings in DigiCert® ONE (DigiCert) DigiCert Managers are built from the ground up to provide fast, flexible PKI deployment

Technologies, Techniques, and Standards

Why MITRE ATT&CK™ is the cybersecurity framework of 2020 (Teiss) Security fragmentation is one of the biggest issues facing cybersecurity leaders today.

Cyber Threat Alliance and FS-ISAC Sign Cooperative Working Agreement (Cyber Threat Alliance) Both entities will cooperate on threat intelligence and collaborate on future cybersecurity exercises

Object Management Group Issues DDS C# API Request for Proposal (Object Management Group) Press Release: Interoperable API to increase DDS deployments in new applications and industries.

Protect Your Company from Phishing Scams (Computer Services Unlimited, Inc.) According to the FTC Consumer Information division, phishing is when a scammer or hacker attempts to steal personal or sensitive information through an email, text, or phone call. For many business owners, phishing emails present a worrisome problem that is...

Dumping Firmware With the CH341a Programmer (Black Hills Information Security) Rick Wisser // Note: This blog will also be a lab for any of the upcoming Wild West Hackin’ Fest Conferences. During a recent engagement, I came across an issue. The issue I encountered was that the SPI chip I was trying to dump the firmware off of was a 1.8v chip. This would not …

The Cybersecurity 202: There’s a new cross-country effort to train election and campaign pros on digital security (Washington Post) A team from the University of Southern California has embarked on a 50-state tour to give cybersecurity training to poll workers and state and local campaign staffers who will be the last line of defense against Russian hacking in 2020.

Our Candidate is DEMOCRACY. (University of Southern California) Tools and Information to Protect U.S. Campaigns and Elections from Cyber Attacks

1 Simple Step Could Help Election Security. Governments Aren't Doing It (NPR.org) Local governments could perform a simple upgrade to make it clear to voters that they are reading from a legitimate source. But on the whole, they aren't doing it.

SEC, NSA issue new cyber-security guidance (Compliance Week) Two new guidance documents, one from the SEC's Office of Compliance Inspections and Examinations and another from the National Security Agency, aim to help companies improve their cyber-security efforts, including managing vulnerabilities in the cloud.

Life during cyber wartime: Exelon IT experts detail live exercises (Power Engineering International) Most war exercises are starkly visual, intimidatingly loud experiences. Weapons, hardware, maybe even smoke and booms are involved. The cyberwar is a different animal altogether, with an invisible enemy probing for weakness along the wall separating information and operations. Most are fended off, but Ukrainian power generators learned the hard way after malware shut down...

Six Signs You have a Great Cybersecurity Culture (Bitdefender) Six Signs You have a Great Cybersecurity Culture

Improve PCI DSS compliance by embracing a security culture (Software Integrity Blog) The downward trend in organizations passing PCI DSS interim security testing is worrying. PCI DSS compliance requires security every day, not once a year.

Threat Hunting Is Not for Everyone (Dark Reading) Threat hunting is a sophisticated, advanced technique that should be reserved for specific instances and be conducted only by trained professionals.

Aftermath of a Major ICS Hacking Contest (Dark Reading) Pwn2Own Miami could help spur more research on and attention to the security of industrial control system products, experts say.

Design and Innovation

Twitter Adds Feature to Thwart Misinformation About U.S. Voting Process (Wall Street Journal) Twitter is giving users the ability to flag tweets that they believe contain misleading information about how to vote in this year’s U.S. presidential election, underscoring efforts to show it is trying to safeguard the process.

Jeff Bezos’s iPhone had Apple’s state-of-the-art security, and that may have helped its alleged hackers (Washington Post) Security researchers say Apple’s secretive stance on bugs may prove to be an Achilles’ heel.

Super Bowl ad for password manager Dashlane drops you straight into Dante's Inferno (CNET) Because forgetting your password can be its own kind of hell.

Research and Development

Researchers Exploit Low Entropy of IoT Devices to Break RSA Certificates (IEEE Spectrum) The hardware limitations of the Internet of Things means the digital certificates these devices rely on to encrypt data can be easily compromised

Radiflow and Fraunhofer Institute Launch Joint Research on Applying Artificial Intelligence to Industrial Cybersecurity (PR Newswire) Radiflow, a leading provider of cybersecurity solutions for industrial automation networks, and the Fraunhofer Institute of Optronics, System...

Legislation, Policy and Regulation

Russia just blocked its citizens from using ProtonMail (Inverse) This isn't the first challenge encrypted email has seen in Russia.

ProtonMail and StartMail blocked by Russia (Computing) Encrypted email providers say its part of the country's crackdown on digital privacy

‘Five Eyes’ intel alliance ties up with Japan on North Korea threat (The Japan Times) The "Five Eyes" intelligence-sharing alliance of English-speaking nations is working with France, Japan and South Korea in an effort to restrain North Kore

PM: UK Huawei contract will not imperil security (BBC News) The PM is asked how he would convince the US his decision to give Huawei a role in the UK's 5G network was "safe".

US urges UK to reconsider Huawei 5G decision (Computing) Mike Pompeo describes Huawei as a 'real risk' to security and tells foreign secretary Dominic Raab to reconsider its role in the UK's 5G and fibre networks

Government Huawei ruling will cost £500m over five years, claims BT (Computing) BT claims that it will need to remove Huawei equipment from the EE mobile network to comply with the government's ruling

Boris Johnson moves to heal US-UK rift over Huawei by ending reliance on Chinese technology (The Telegraph) Boris Johnson has moved to heal the rift with the US over Huawei by telling Donald Trump he will never again allow Britain to become reliant on Chinese technology.

Boris Johnson is still triumphant. Huawei shows that won’t last | Martin Kettle (the Guardian) Brexit is the prime minister’s greatest victory. But the dilemmas he faces are a reminder that no government is ever safe, says Guardian columnist Martin Kettle

Britain underestimates the Huawei threat (TheHill) Very large intelligence advantages can be gained from very small pieces of communications data.

Eric Schmidt says Pentagon should open up its tech to stunt Huawei's growth (The Telegraph) One of Silicon Valley's most prominent billionaires has called on the US military to give private companies access to radio frequencies currently reserved for security operations, in a bid to push back against the growing dominance of Huawei.

‘Unbelievably ridiculous’: Four-star general seeks to clean up Pentagon’s classification process (Defense News) Gen. John Hyten, vice chairman of the Joint Chiefs of Staff, hopes to see “significant improvement” this year on loosening classification standards in the infamously overclassified Pentagon.

Langevin Bill Granting CISA Limited Subpoena Authority Passes House Committee on Homeland Security (Congressman Jim Langevin) This morning, the House Committee on Homeland Security favorably reported H.R. 5680, the Cybersecurity Vulnerability Identification and Notification Act.

House GOP introduces bill to secure voter registration systems against foreign hacking (TheHill) Republicans on the House Administration Committee on Wednesday introduced legislation that would seek to update a long-standing federal election law and secure voter registration databases from foreign hacking attempts.

DoD to drop second piece of supply chain cyber puzzle (Federal News Network) With the Cybersecurity Maturity Model Certification accreditation board set up, the Pentagon expects to release version 1 of the cyber standards on Friday that will kick off the effort in earnest.

Exodus of federal cyber talent spurred by loss of WH cybersecurity coordinator role | Federal News Network (Federal News Network) Tufts University Fletcher School professor Josephine Wolff has been following this with alarm, and she joined Federal Drive with Tom Temin to discuss.

Dept. of Interior grounds its drones amid cybersecurity concerns (TechCrunch) The U.S. Department of the Interior has confirmed it has grounded its fleet of non-emergency drones amid concerns over cybersecurity. In a brief statement, the department said the move will help to ensure that “the technology used for these operations is such that it will not compromise our n…

Let’s make ransomware MORE illegal, says Maryland (Naked Security) … with a clumsily worded proposed bill that wouldn’t protect researchers.

Maryland bill would outlaw ransomware, keep researchers from reporting bugs (Ars Technica) Requires consent before infecting, criminalizes other computering.

Fleet Cyber Command / U.S. 10th Fleet Celebrates 10th Anniversary (DVIDS) U.S. Fleet Cyber Command/U.S. 10th Fleet (FCC/C10F) celebrated its 10th anniversary during a ceremony held at its headquarters Jan. 29.

Litigation, Investigation, and Enforcement

Senator calls for US intelligence to investigate Jeff Bezos 'phone hacking' (the Guardian) Chris Murphy urges FBI and DNI to look into whether message from Saudi prince triggered hacking of Amazon founder’s phone

Facebook to Pay $550 Million to Settle Facial Recognition Suit (New York Times) It was another black mark on the privacy record of the social network, which also reported its quarterly earnings.

Caltech wins $1.1B patent infringement suit against Apple and Broadcom (Silicon Valley Business Journal) Caltech said the victory against Cupertino-based iPhone maker Apple Inc. and San Jose-based chipmaker Broadcom Inc. involved patents for Wi-Fi chips that have been used in hundreds of millions of devices.

Bring your own context.

Coming soon: CyberWire Pro.