HiddenWasp emerges from under the Winnti Umbrella (probably).
Intezer described Wednesday the operations of "HiddenWasp," a campaign that installs a backdoor into Linux systems. Most Linux-focused malware has tended to concentrate on coinmining or distributed denial-of-service, and it's also tended to be relatively speaking, observers say, heavy-footed and noisy. HiddenWasp is not only relatively stealthy, but also aims at control of infected devices. Observers find these new developments disturbing.
HiddenWasp borrows freely: components of Mirai, the ChinZ Elkinot implant, the Azazel rootkit, and the Linux version of Winnti have all been seen in its code. Attribution remains unclear, but some think it looks like an operation with Chinese origins, either with criminal organizations or intelligence services. AT&T Cybersecurity’s Alien Labs tells SC Magazine they’ve concluded, “with high confidence,” that HiddenWasp falls under the Winnti Umbrella, a set of groups associated with China.
It’s worth noting that HiddenWasp seems to have escaped detection by most anti-virus software. Defenders will adapt.
Mortgage documents found exposed online.
Brian Krebs revealed last Friday that First American Financial Corporation had exposed more than 885 million documents concerning mortgages dating back to 2003. The data included bank account numbers, tax records, Social Security numbers, driver's license photos, and other financial records. Any of the files could be accessed by an unauthenticated visitor to First American's website by simply altering a digit in the URL for one of the documents.
First American shut down the vulnerable site last Friday afternoon, and says it's investigating the situation. Krebs says he doesn't have evidence that the files were accessed or harvested maliciously, although he adds that it wouldn't be difficult to do so. The documents had been exposed since at least March 2017. TechCrunch reported that thousands of the documents remained cached and readable in search engines after the site was disabled.
New York's Department of Financial Services has opened an investigation into the breach under the state's cybersecurity regulations, and more inquiries can be expected to follow (New York Times).
Charm City is still writhing under ransomware.
The city of Baltimore, Maryland, estimates that the ransomware attack it sustained three weeks ago will cost the city more than $18 million by the end of 2019, $4.6 million of which has already been spent (Baltimore Sun). City officials want Governor Larry Hogan to secure declaration of a federal emergency in order to get federal funding for recovery.
Their calls for federal funding are largely based on a report by the New York Times on May 25th, which claimed that the ransomware used in the attack was exploiting EternalBlue to facilitate its spread. EternalBlue is a vulnerability in Microsoft's Server Message Block protocol that can be exploited by malware to achieve worming functionality. The exploit is generally thought to have been stolen, leaked or otherwise obtained from the National Security Agency by the ShadowBrokers, who then dumped it online in April 2017. NSA warned Microsoft in advance about the vulnerability, and Redmond issued patches for the flaw a month before the ShadowBrokers' posted the exploit.
WannaCry and NotPetya both exploited EternalBlue to extend their reach into unpatched machines over the months that followed the leak. A number of Baltimore City officials (and also some members of the Maryland Congressional delegation including Representative Dutch Ruppersberger, whose territory includes both Baltimore City and Fort Meade, and Senator Chris Van Hollen) demanded answers from NSA about EternalBlue's role, if any, in the Baltimore attack (Baltimore Sun). Late Friday Rep. Ruppersberger issued a statement to the effect that NSA had satisfied him that EternalBlue wasn't implicated in the attack.
Many critics, however, believe that there's misunderstanding about the ransomware attack and EternalBlue itself. While some concede that NSA might share some blame for the WannaCry and NotPetya attacks since those took place so soon after the exploit was made public—maybe Fort Meade should have been quicker to disclose—but that would not seem to be the case with the Baltimore incident. After all, a patch has been available for a bit more than two years now. Rob Graham of Errata Security points out that "if EternalBlue is responsible for the Baltimore ransomware attack, it would've been regardless whether the NSA had weaponized an exploit or done the 'responsible' thing and worked with Microsoft to patch it. After two years, exploits would exist either way." Likewise, NSA's Rob Joyce said Thursday that, while he sympathized with Baltimore's troubles, "focusing on a single exploit, especially one that has a solution through a patch that was issued years ago, is really shortsighted" (Nextgov).
The ransomware implicated in the incident, RobbinHood, is a criminal tool, not NSA code. It's also probable that the attackers got in through a commonplace phishing attack. EternalBlue at most might have enabled attackers to move across the city's systems, although it seems not even to have done that. The city's own IT personnel warned about the risk long before it became reality. An undated risk-assessment memorandum that appears, on internal evidence, to have been prepared between August 2016 and September 2017, warned that servers running unsupported versions of Windows posed a clear risk. The memo, according to the Baltimore Sun, specifically called out the likelihood of ransomware attacks, and pointed out that the two servers that were just clobbered were also not being backed up.
Chris Tonjes, a former Baltimore City CIO who resigned in 2014, said he tried to get the city to upgrade the servers back then, but without success. His comment this week was direct: “They rolled the dice and they lost,” Tonjes told the Sun. “I really have no sympathy.”
And speaking of patches for wormy things...
...Microsoft issued a second warning on Thursday telling users to apply patches for the wormable BlueKeep vulnerability. The vulnerability affects older Windows versions, including Windows 7, and is so severe that Microsoft released patches for out-of-support versions. Errata Security estimates that around a million machines are still vulnerable. In its warning, Microsoft said it was "confident that an exploit exists for this vulnerability," and urged readers to reflect on the 2017 WannaCry attacks. WannaCry spread indiscriminately by exploiting the EternalBlue vulnerability nearly sixty days after Microsoft released patches for the flaw.
GreyNoise told ZDNet that unknown threat actors are currently scanning the Internet for Windows systems that haven't applied patches for BlueKeep. GreyNoise warns that the scanning activity should be taken as an indicator that attacks are imminent. Those who've been following Baltimore's failure to patch EternalBlue might wish to apply any lessons learned to their management of patches for BlueKeep.
Iran learns from the best.
Just as its technical hacking capabilities have grown, so too has Iran shown an ability to learn quickly in the allied arts of information operations. FireEye at the beginning of the week publicly identified extensive coordinated information operations in support of Iranian interests during the 2018 US midterm elections. Inauthentic accounts tended to express opposition to President Trump, but their ideological slant, in American terms, was opportunistic. Some of the lines pushed represented themselves as progressive, others as conservative, but their common goal was to advance Iranian policy.
The tendency was in this round generally anti-Republican, but again, it’s important to bear in mind that this was opportunistic, not partisan in intent. Had bashing Democrats, or Greens, or Libertarians, or Prohibitionists served Tehran's purposes, there's every reason to think they'd have done so. The overall goal was to advance Iranian views. Both Twitter and Facebook, tipped off by FireEye, have removed the accounts in question.
A step toward laws of conflict in cyberspace.
The International Committee of the Red Cross has released a study of the potential humanitarian costs of cyber operations. The report cites, as part of its motivation, the need to address the effect such incidents as WannaCry, NotPetya, and attacks on the Ukrainian grid have on delivery of essential goods and services to civilian populations. It also cites the increased willingness to conduct offensive cyber operations by countries other than Russia and North Korea. The ICRC's study is intended to inform the laws of armed conflict of how new cyber technologies might be constrained to ameliorate suffering from operations in this newly contested domain. The topic is an important one. As infrastructure that delivers goods and services human beings need just insofar as they’re human beings--water, food, medical care, power--then it’s important to consider how to prevent attacks on that infrastructure from hitting uninvolved civilians. The Red Cross study, to which a number of cybersecurity firms contributed, is intended to be a step in that direction.
Zscaler discovered a malicious redirection campaign exploiting a cross-site scripting flaw in the WordPress Live Chat Support plugin. A patch for this vulnerability was released in mid-May, so updated versions are immune to the attack (Ars Technica).
Google is adding an optional "confidential mode" to G Suite, which will allow users to set expiration dates on emails or revoke sent messages. It also prevents recipients from forwarding, copying, downloading, or otherwise sharing information in emails, and senders have the option of requiring SMS authentication before recipients can view their emails. Confidential mode will be available on June 25th, when it will be turned on by default for all users (CRN).
Crime and punishment.
A US Navy Sailor was sentenced to three years in prison after pleading guilty to espionage. He attempted to share information on nuclear propulsion systems with Sevmash, a Russian company that produces nuclear submarines (Navy Times).
Three tech support scammers were arrested in the US and charged with fraud. The three men had been running scams for at least six years, primarily targeting the elderly, and allegedly made $1.3 million (Naked Security).
Courts and torts.
CrowdStrike has reached a settlement in its lawsuit against NSS Labs. The research firm released a report in 2017 analyzing a number of cybersecurity products, which concluded that one of CrowdStrike's products was subpar (Pitchbook). CrowdStrike said the firm's testing methods were to blame, and NSS Labs has now stated that the testing process "was incomplete and the product was not properly configured with prevention capabilities enabled" (ZDNet).
Policies, procurements, and agency equities.
CISA director Christopher Krebs warned that US government employees should avoid foreign-made VPN services, CyberScoop reports. Krebs specifically referenced Russian and Chinese VPN providers, saying that these countries have "demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes." He noted that CISA doesn't have evidence that foreign VPNs are widely used, or used at all, within the US government, but that's due to a lack of visibility rather than the result of any comprehensive assessment.
Apple, Microsoft, Google, WhatsApp, and others have rejected GCHQ's suggestion that tech companies could modify their products to allow law enforcement to be added as an invisible recipient of encrypted messages sent to and from criminals and terrorists. GCHQ posited this as a potential way to give law enforcement agencies access to encrypted communications without weakening encryption itself. In a letter published on Thursday, the companies argued that such a proposal would introduce a host of new risks and vulnerabilities by "modifying how authentication works." They also express concern about the risks of abuse, particularly because if they were to develop such a function for the UK government, then other, less scrupulous governments will use it as well. NCSC technical director Dr. Ian Levy, who co-authored GCHQ's proposal, said he welcomed their response, and that "the hypothetical proposal was always intended as a starting point for discussion" (Telegraph). Discussion has indeed begun.
Fortunes of commerce.
Huawei alleges that US sanctions amount to an unconstitutional bill of attainder (Ars Technica). The company claims that Section 889 of the National Defense Authorization Act 2019 is the offending legislation. A bill of attainder, forbidden by Article I, Section 9, paragraph 3 of the US Constitution, is legislation that imposes an extrajudicial criminal penalty on an individual or group. Huawei says that the National Defense Authorization Act, by barring US Federal agencies from using the company's products, amounts to exactly that. Kaspersky Lab took a similar line in court against its own ban. They weren’t successful, and most observers think it unlikely that it will work for Huawei, either. But Huawei's real audience is probably the media, and not the Federal bench.
The UK's Migration Advisory Committee added cybersecurity analysts and engineers to its Shortage Occupation List. Cybersecurity specialists have been on the list since 2015, but the latest version removes the minimum experience requirement, stating that "applying an experience caveat could hinder the development of cyber security at all levels" (Infosecurity Magazine).
Mergers and acquisitions.
Insight Partners, a New York-based private equity firm, has bought a controlling stake in leading threat intelligence shop Recorded Future for $780 million (CyberScoop).
Heimdal has acquired BasicBytes and intends to integrate BasicBytes' AdminPrivilege™ technology into a new offering directed toward sysadmins: Thor AdminPrivilege™.
Three managed security service providers—Tennessee-based Sword & Shield, Arizona-based Terra Verde, and Virginia-based TruShield—have merged to form Avertium under the ownership of Sunstone Partners. The companies hope the merger will help them compete with larger MSSPs like Secureworks and IBM (CRN). Avertium will be based in Phoenix, Arizona, and Knoxville, Tennessee, with an additional office in Reston, Virginia (Knox News).
Palo Alto Networks announced two acquisitions this week: Portland based cloud security startup Twistlock for $410 million and Tel Aviv-based serverless application security provider PureSec for an undisclosed amount (Crunchbase News).
FireEye on Tuesday purchased Virginia-based security effectiveness testing company Verodin for $250 million (TechCrunch).
NetApp acquired Israeli data protection startup Cognigo for $70 million. Cognigo's data governance platform uses AI for PII recognition to assist with GDPR compliance (CRN).
Investments and exits.
Denver-based SOAR provider Swimlane has raised $23 million in Series B funding from Energy Impact Partners (Venture Beat).
Password manager company Dashlane raised $110 million in a Series D funding round led by Sequoia, along with Bessemer Venture Partners, Rho Ventures, and FirstMark Capital (SiliconANGLE).
New York-based enterprise cybersecurity company BlueVoyant closed an $82.5 million Series B funding round from Fiserv and a number of other undisclosed investors (TechCrunch).
And security innovation.
The Office of the US Director of National Intelligence has asked industry to provide innovative technologies that could address the urgent and rapidly developing needs of the Intelligence Community. The ODNI has put out a Request for Information concerning technologies that can meet the six objectives specified among the Intelligence Community's Strategic Initiatives.
Several of these involve acquisition management (they're looking for agility in acquisition, a capable and trusted workforce, and effective public-private partnership). Others suggest technical wishes ("augmenting intelligence using machines," "modern data management and infrastructure," and "comprehensive cyber posture"). Replies to the RFI are due by July 26th, 2019. Among the topics likely to be of particular interest are Artificial Intelligence, Communications, Computing, Cyber, and Data (SIGNAL).
ODNI will be communicating with companies who respond under the Intelligence Community's In-STeP program. More about the RFI may be found here.