The CyberWire Daily Briefing, 1.31.20

Cyber Attacks, Threats, and Vulnerabilities

Serbia’s Independent N1 Portal Buffeted by Cyber-Attacks (Balkan Insight) The Serbian website of the regional media outlet TV N1 has been hit by a wave of cyber-attacks in the last few days, after launching a public campaign to support the channel.

China's Winnti hackers (apparently): Forget the money, let's get political and start targeting Hong Kong students for protest info (Register) Supply-chain hackers now taking aim at kids fighting for democracy, say researchers

Winnti Group targeting universities in Hong Kong (WeLiveSecurity) ESET researchers have discovered a new campaign of the Winnti Group that deploys ShadowPad and Winnti malware to target universities in Hong Kong.

If the US launches cyberattacks on Iran, retaliation could be a surprise (Fifth Domain) The implication that cyberattacks are somehow a safer response for the United States than kinetic attacks is dangerous. More needs to be done to prepare the American people for Iranian cyber retaliation.

Iranian hackers monitor hotels, travel industry to follow targets, expert warns (Times of Israel) 'There are some serious physical concerns about potential victims being tracked,' FireEye's head of intelligence John Hultquist tells cybersecurity conference in Tel Aviv

Iran’s revenge is already well under way (Avast) Long stretch of reconnaissance, malware plantings position Iran to carry out varied attacks on the U.S. and its allies

BOJ warns of cyber-attack vulnerability ahead of Olympic Games (Reuters) Japan's financial institutions must guard against cyber-attacks ahead of th...

Human Rights Fears as UN Admits Major Breach (Infosecurity Magazine) Global body covered up 2019 attack by likely nation state group

U.N. Hack Stemmed From Microsoft SharePoint Flaw (Threatpost) Reportedly, the bug wasn't patched, leading to a data breach in July.

United Nations Data Breach Started with Microsoft SharePoint Bug (Dark Reading) A remote code execution flaw enabled a breach of UN offices in Geneva and Vienna, as well as the Office of the High Commissioner for Human Rights.

Prevailion Charts the Global Plunder of Known Ransomware Criminals (Prevailion) Education and Financial Sectors are in the crosshairs in a recent slate of ransomware attacks from TA505.

Microsoft Detects New Evil Corp Malware Attacks After Short Break (BleepingComputer) Microsoft says that an ongoing Evil Corp phishing campaign is using attachments featuring HTML redirectors for delivering malicious Excel documents, this being the first time the threat actors have been seen adopting this technique.

Sodinokibi Ransomware Group Sponsors Hacking Contest (Threatpost) Larger winnings for underground skills competitions are attracting sophisticated crime groups.

Memory Lane - Direct Memory Access Attacks (Eclypsium) High-speed DMA attacks can bypass built-in hardware protections on enterprise devices. Researchers from Eclypsium demonstrated that, even in the presence of protections such as UEFI Secure Boot, Intel Boot Guard, HP Sure Start, and Microsoft Virtualization-Based Security, laptops from Dell & HP were susceptible to pre-boot DMA attacks. This powerful class of attacks is an industry-wide issue that threatens servers as well as laptops.

Social media boosting service exposed Instagram passwords (TechCrunch) Exclusive: A bug in the service's website exposed thousands of Instagram passwords in plaintext.

Trello exposed! Search turns up huge trove of private data (Naked Security) A surprising number of users seem to be setting Trello boards, and their often highly sensitive content, to ‘public’.

Coronavirus conspiracy theories are flooding Facebook and Twitter, despite promises of a crackdown (The Telegraph) The Wuhan coronavirus has infected thousands and killed more than 170 people.

Keeping People Safe and Informed About the Coronavirus (About Facebook) We're working to limit the spread of misinformation and harmful content.

Five Years Later, Ashley Madison Data Breach Fuels New Extortion Scam (Email Security | Vade Secure) The Ashley Madison data breach of 2015 is coming back to haunt victims in a big way, with leaked data fueling a new wave of extortion scams.

Texting scam using links to target personal information (WCTI) When a text message with a link appears to be from a packaging company, many people say their first instinct is to open the link. However, opening some of these text messages could help hackers steal personal information. It is all part of scam officials call smishing - also known as SMS phishing. Hackers are attempting to get personal information through text, similar to phishing emails.

Huge growth in malware connected to popular musicians - Kaspersky (Future Five) Cybercriminals are actively abusing the names of artists and songs nominated for a Grammy 2020 award, in order to spread malware.

Phone phishing scams now targeting Social Insurance Numbers (CityNews Toronto) A different version of phone scams currently doing the rounds has fraudsters aiming for a large cache of information rather than just cash - your Social Insurance Number (SIN).

DOD contractor suffers ransomware infection (ZDNet) Virginia-based EWA has had systems infected with the Ryuk ransomware.

US Defense Contractor Hit by Ryuk Ransomware (Infosecurity Magazine) Websites down at EWA as attackers step up efforts

Touchdown! Measuring External Cyber Posture and the NFL Hack (Panorays) How were the NFL teams hacked, and was there any indication that some teams were more or less likely to be targeted? The answers may surprise you.

State Treasurer Warns of New Lottery Texting Scam (1420 WBSM) Massachusetts Treasurer Deb Goldberg issued a press release Friday warning state residents of a lottery scam being conducted via text messages.

Please don't fall for these surprisingly badly written phishing scam emails (ZDNet) A new wave of fraud emails are circulating, but many of them are pretty easy to spot.

Medtronic 2090 Carelink Programmer Vulnerabilities (Update C) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.1 Vendor: Medtronic Equipment: 2090 CareLink Programmer, 29901 Encore Programmer Vulnerabilities: Storing Passwords in a Recoverable Format, Relative Path Traversal, Improper Restriction of Communication Channel to Intended Endpoints 2.

Medtronic Conexus Radio Frequency Telemetry Protocol (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.3 ATTENTION: Exploitable with adjacent access/low skill level to exploit Vendor: Medtronic Equipment: MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, specific Medtronic implanted cardiac devices listed below Vulnerabilities: Improper Access Control, Cleartext Transmission of Sensitive Information 2.

Security Patches, Mitigations, and Software Updates

Zoom Fixes Flaw That Could Allow Strangers Into Meetings (BankInfo Security) Conferencing service provider Zoom has fixed a vulnerability that - under certain conditions - could have allowed an uninvited third party to guess a meeting ID and

Cyber Trends

2019 Holiday Shopping Season Threat Review (RiskIQ) This holiday shopping season raked in a record $1 trillion, an increase of nearly $300 billion from 2018. Overall online sales increased 13%, while Black Friday and Cyber Monday saw 17% and 19% increases, respectively.

80% of successful breaches are from zero-day exploits (Help Net Security) Organizations are not making progress in reducing their endpoint security risk, especially against new and unknown threats.

Marketplace

How will the UK tech sector be affected by Brexit? (Information Age) With the transition period for Brexit beginning tonight, we explore what Brexit will mean for the UK tech sector

Space executive says the industry needs help to understand cyber threats (SpaceNews.com) Emerging companies in the space industry lack cybersecurity expertise and may be ill prepared to prevent or respond to attacks.

Raytheon Takes Control of Forcepoint Cybersecurity Business (Wall Street Journal) The defense company said it paid $588 million to Vista Equity Partners for its minority stake in Forcepoint, four years after creating a business aimed at selling military-style cyber products to commercial clients.

Israel Electric inks deal to help safeguard Tokyo Olympics from cyberattack (Times of Israel) IEC signs agreement with Japanese energy utility to secure critical infrastructure during games, also launches new set of cybersecurity tools at Cybertech 2020 confab in Tel Aviv

Microsoft invites gamers and researchers to new Xbox bug bounty program (Help Net Security) Microsoft invites gamers and researchers to participate in Xbox bug bounty program. ounty rewards will range from $500 to $20,000 USD.

IBM’s Ginni Rometty Steps Down as CEO (Wall Street Journal) Ginni Rometty is retiring after almost 40 years at IBM and will be succeeded as CEO by Arvind Krishna, who heads the company’s cloud and cognitive-software division.

Cybersecurity: Die Frau, die Siemens hackt (Süddeutsche Zeitung) Fabienne Waidelich und ihr Team versuchen jeden Tag, in die Computer von Siemens einzubrechen. Warum? Damit es kein anderer macht. Über eine Frau in einer Männer-Domäne und die Frage: Was macht ein Hacker eigentlich?

Cyber Campus backed by Orange, Atos and Thales to open in Paris in Q1 2021 (Telecompaper) France's secretary of state for digital affairs, Cedric O, has announced the launch of the Cyber Campus initiative with the publication of a paper presenting the project, which owes its origin to the work of Michel Van Den Berghe, CEO of Orange Cyberdefense. Located in the Paris region, the new 10,000 square metre site will group between 500 and 1,000 cyber security experts from its launch, which is planned for Q1 2021.

Cybersecurity firm plans move to Fairlawn (Akron Beacon Journal) TrustedSec started in the basement of a Northeast Ohio home in 2012.Almost eight years later, the information security consulting firm that breaks into

Products, Services, and Solutions

New infosec products of the week: January 31, 2020 (Help Net Security) Featured infosec products this week come from the following vendors: Swimlane, RiskSense, Cisco, and Magnet Forensics.

Technologies, Techniques, and Standards

SEC Publishes Cybersecurity and Resiliency Best Practices (Security Magazine) The SEC has published guidance to help firms in the securities market enhance their cybersecurity preparedness and operational resiliency.

What's Actually on the Dark Web (Vice) Dark web researcher Emily Wilson explains the good, bad, and nefarious parts of the dark web to CYBER.

How states held hostage by ransomware attacks can take control (Boston Globe) It’s not clear that government officials are learning the right lessons from these attacks about how to secure their citizens and online infrastructure.

Facebook knows a lot about your online habits – here’s how to stop it (Naked Security) Facebook’s new Off-Facebook Activity feature is part of the company’s effort to appear more privacy-friendly to its users.

Avoiding Risk Acceptance With Security Alerts (Forbes) Resolving alerts without accepting risk requires resolving every alert without crippling the effectiveness of security tools by changing alert thresholds or ignoring security events.

Russia Blocks ProtonMail and ProtonVPN, Tor to the Rescue (BleepingComputer) Proton Technologies' security-focused ProtonMail end-to-end encrypted email service and ProtonVPN VPN service have been blocked by the Russian government within Russia since yesterday.

Can the government stop fake comments on its rules without alienating citizens? (Federal Times) Innovations that make it harder for people to spam public comment opportunities could also make concerned members of the public less likely to participate.

Facebook Won’t Remove This Woman’s Butthole As A Business Page (BuzzFeed News) “This unofficial Page was created because people on Facebook have shown interest in this place or business. It's not affiliated with or endorsed by anyone associated with Samantha Rae Anna Jespersen's

Design and Innovation

The Fractured Future of Browser Privacy (Wired) Better anti-tracking measures have become the norm for Chrome, Firefox, Safari, and other modern browsers. But they still disagree on how exactly they should work.

Academia

Cyber Hawks team cracks NSA codebreaker challenge (Dahlonega Nugget) As computer scientists representing 532 universities across the United States competed to crack the latest NSA Codebreaker challenge, UNG proved to be a consistent force in the world of cyber secur

LT's CyberPatriots compete at national level (La Grange, IL Patch) One of your neighbors posted in Schools. Click through to read what they have to say. (The views expressed in this post are the author’s own.)

Texas schools now required to craft cybersecurity plans, staff to undergo training (KXAN.com) Texas lawmakers passed legislation last year enhancing cybersecurity requirements for school districts.

Legislation, Policy and Regulation

Attempts to define international infosec rules of the road bogged down by endless talkshops, warn diplomats (Register) Do you want Russia or China writing treaties on what's cool online?

Diskin: Achieve cybersecurity with preemptive strikes (The Jerusalem Post) Diskin said, “The world of information security tends to forget cyberattacks did not happen by themselves or from computers."

United States Welcomes the EU’s Acknowledgement of the Unacceptable Risks Posed by Untrusted 5G Suppliers (United States Department of State) On January 29, the European Union (EU) Network Information Security Cooperation Group released a toolbox of recommended measures to mitigate security risks in 5G networks. The United States welcomes this initiative from Member States, the Commission, and the EU Cybersecurity Agency. The Toolbox acknowledges that suppliers with high risk profiles (e.g., companies based in third …

Why Britain's spooks ‘think they know better’ than the US on Huawei (The Telegraph) In a sleepy business park on the edge of Banbury, a red-brick building houses what has become one of Britain’s most important weapons against state-backed cyber crime.

Huawei 5G verdict is decision 'with few good options' (BBC News) The government is due to decide later whether to ban Huawei from the UK's 5G networks.

US says 'Five-Eyes' intelligence alliance will remain in place despite Britain's Huawei decision (Computing) US Secretary of State Mike Pompeo confident of US and UK resolving their differences,Government

No Huawei ‘Smoking Gun’ in Europe, French Cyber Chief Says (Yahoo) France’s cybersecurity chief said his agency hasn’t uncovered any evidence of Huawei Technologies Co. spying via Europe’s communications networks, shrugging off U.S. and German concerns.Guillaume Poupard, the head of the national cybersecurity agency ANSSI, spoke following reports of a

Italy has no plans to exclude Chinese telecom firms, including Huawei from 5G network (Tech2) The United States has lobbied Italy and other European allies to avoid using Huawei equipment.

Brexit to Add Sanctions Compliance Complexity (Wall Street Journal) Britain is set to officially withdraw its membership from the European Union on Friday, but EU regulations still apply during the transitional period until Dec. 31.

Ottawa should follow allies in public-private collaboration, says cyber industry group (IT World Canada) Fed up with what it believes is a federal government that doesn't work closely enough with the private sector on cybersecurity-related acquisitions,

The Cybersecurity 202: Election officials confident about security days before first contests of 2020 (Washington Post) Election officials are striking a confident tone about digital security at their final summit before caucus and primary season begins. But they're also planning for the worst, war-gaming how to handle any major hacks from Russia or other adversaries.

Intel: Democrats push Trump administration to crack down on Saudi prince (Al-Monitor) Emboldened by the latest United Nations report implicating Crown Prince Mohammed bin Salman in hacking Amazon CEO Jeff Bezos’ phone, Democrats are pushing the Donald Trump administration to toughen up on the Saudi heir.

Democratic senator asks intelligence agencies to open probe into Bezos phone hack (TheHill) Sen. Chris Murphy (D-Conn.) on Wednesday asked the FBI and the Office of the Director of National Intelligence (DNI) to probe recent reports that Amazon CEO Jeff Bezos’s phone was hacked by Saudi Arabian officials.

The EARN IT Act: How to Ban End-to-End Encryption Without Actually Banning It (Center for Internet and Society) There’s a new bill afoot in Congress called the EARN IT Act. A “discussion draft” released by Bloomberg is available as a PDF here. This bill is trying to convert your anger at Big Tech into law enforcement’s long-desired dream of banning strong encryption. It is a bait-and-switch. Don’t fall for it.

A Primer on the California Consumer Privacy Act (Radware Blog) At its core, the CCPA is a data protection policy to ensure that the privacy rights of internet users in California are seriously enforced.

Leading Army Reserve Cyber Talent To Keystone State (DVIDS) Shaping the Army Reserve cyber force is still evolving from refining strategy and methodology to delivering proper talent management for the training of new reserve cyber warriors.

Employers can’t force you to get microchipped, Indiana reps say (Naked Security) The US state wants to make sure employers don’t “overstep their bounds” by imposing mandatory employee microchipping.

Litigation, Investigation, and Enforcement

Jeff Bezos met FBI investigators in 2019 over alleged Saudi hack (the Guardian) Amazon founder interviewed as FBI conducts inquiry into Israeli firm linked to malware

Remember FindFace? The Russian Facial Recognition Company Just Turned On A Massive, Multimillion-Dollar Moscow Surveillance System (Forbes) Russian company’s CEO claims it’s the biggest live facial recognition project in the world.

Exclusive: FBI probes use of Israeli firm's spyware in personal and government hacks - sources (Reuters) The FBI is investigating the role of Israeli spyware vendor NSO Group Technologi...

Government spyware company spied on hundreds of innocent people (Naked Security) eSurv execs have been charged with fraud, unauthorized access to a computer system, illicit interception and illicit data processing.

AIG must cover client's $5.9 million in cyber-related losses, judge rules (CyberScoop) Insurance giant AIG must cover nearly $6 million in losses for a client that was fleeced by an email scam carried out by suspected Chinese hackers, a federal court has decided. A judge in the Southern District of New York ruled Wednesday that AIG was in breach of contract when it previously denied a claim from SS&C Technologies, a $6 billion financial technology firm.

Canadian insurance firm pays off hackers to remove ransomware (Insurance Business) News of the attack was not publicly disclosed until the firm's reinsurer filed court documents – in the UK

Dallas County attorney agrees to drop charges against men contracted by judicial branch to test courthouse security (Des Moines Register) The charges against two men arrested while testing the security of an Iowa courthouse while on contract with the judicial branch have been dropped.

Dallas County drops charges against men who tested courthouse's security by breaking in (KCCI) The CEO of Coalfire, Tom McAndrew, said the Dallas County Courthouse doors were unlocked and deputies responded after one of the Coalfire employees intentionally tripped an alarm in the building.

Data-breach uni pays out £140k compensation (BBC News) Students' personal details, including information on health problems, were sent to 298 people.

Hacker snoops on art sale and walks away with $3.1m, victims fight each other in court (ZDNet) Each impacted party is claiming the other is responsible for not detecting the scam. The ownership of a valuable painting is at stake.

A year after Bank of Valletta 'cyber heist', cuffs applied as cash-cleansing case continues (Register) Would sir care for an Audi with that Jag?

‘Please be young,’ the Craigslist personal ad read. Feds say it led them to a Portsmouth man’s stash of child porn. (Virginian-Pilot) Robert H. Birchett, a petty officer 1st class stationed aboard the USS George H.W. Bush, denied trying to have sex with a child.

Winnti Group turns to Hong Kong. US, UK, EU make conciliatory noises over 5G. Serbian TV station DDoSed. News from the underworld.

Bring your own context.

Coming soon: CyberWire Pro.