Actually, since we took Independence weekend off, this issue represents the last two Weeks that Were. Here we go.
Sea Turtle is back, with some new kit.
Cisco Talos warns that the actors responsible for the Sea Turtle DNS hijacking campaign "are redoubling their efforts with new infrastructure." The researchers identified a new technique being used by the group that makes it much harder to track its activity. It uses different malicious name server hostnames and IP addresses for each target. Earlier attacks had used the same domains against a broad range of organizations, and that's easier to follow. The campaign's targets are mostly in the Middle East and North Africa. They include several government entities, energy companies, think tanks, and NGOs. New victims were spotted in Albania, Cyprus, Greece, Sudan, Switzerland, and the United States, according to Infosecurity Magazine.
Ugly disinformation.
An investigation by Yahoo News determined that the SVR, Russia's foreign intelligence service, was the first to spread a phony intelligence report that sparked the conspiracy theory that DNC staffer Seth Rich was assassinated at the behest of then-Presidential candidate Hillary Clinton. The theory initially held that Rich was a disgruntled Sanders supporter who was planning on talking to the FBI about corruption involving Clinton, and later morphed into claiming that the young staffer was WikiLeaks' source for the stolen DNC files. The latter theory was strongly implied by Julian Assange, who in August 2016 offered a $20,000 reward for information about the murder. Special Counsel Robert Mueller's report on Russian interference in the 2016 election concluded that Assange was thereby obscuring the true source of the leaks: Russia's GRU. Russia likewise benefited from pinning the leaks on someone else, thereby deflecting blame from its military intelligence service. DC police believe Rich's tragic murder was a botched armed robbery.
Magecart attackers are looking for open buckets.
RiskIQ describes a Magecart group that's scanning for unsecured AWS S3 buckets and automatically injecting their skimming code into them. The activity began in early April, and the attackers have since compromised a "vast collection" of buckets, affecting more than 17,000 domains. Many of the compromised targets aren't payment pages and therefore don't result in payment data being stolen, but due to the automated nature of the attacks, the attackers have hit enough attractive targets to make it worth their while.
In addition to the Magecart aspect, however, the researchers emphasize that the campaign "illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets." RiskIQ researcher Yonathan Klijnsma told WIRED that "pretty much anybody can do anything in those S3 buckets, and the reach of those is quite big."
Agent Smith.
Check Point is tracking a malware variant targeting Android devices. They call it "Agent Smith" after its ability to replace legitimate apps with malicious duplicates. ZDNet says the researchers tracked the malware to a company in Guangzhou, China, which helps app developers transfer their products to overseas markets. Some of the company's online job postings request skills that have nothing to do with such legitimate operations, but rather seem related to the capabilities Agent Smith displays. The malware in this case is being used to generate revenue via malicious ads, but Check Point notes that "there are endless possibilities for this sort of malware to harm a user's device."
Google's leaky Assistant.
Google is facing criticism after a contractor leaked one thousand audio files that were recorded by Google Assistant without users' knowledge. VRT NWS, a Belgian news service that received the files, confirmed that a number of the recordings were legitimate by allowing users to listen to them. The audio files contained users' private conversations and were much lengthier than necessary. In 153 instances, the audio was recorded with no prompt from a user, apparently after Google Assistant misinterpreted a phrase as its "OK Google" trigger command. WIRED observes that Google's privacy policy doesn't state that human employees review audio recordings made by Google Assistant, which might place the company in violation of GDPR.
Another Florida city announces a cyberattack.
A third Florida city, Key Biscayne, has sustained a cyberattack, but appears to have recovered, the Miami Herald reports. The city announced it had experienced a "data security event" last Sunday. Some systems were taken offline during the recovery, but all were back up by Wednesday night. An investigation continues.
Customizable payment site skimmer up for sale.
Fortinet describes a new Magecart skimmer called "Inter" that's selling for $1,300. This skimmer can be customized to fit different types of websites and payment vendors, and it has built-in templates for eighteen popular payment forms. Dark Reading notes that the skimmer's sophistication, ease of use, and wide applicability means that it will likely be seen in use by other groups in the near future.
Patch news.
Tenable outlined a number of vulnerabilities in ICS vulnerabilities that the company has discovered over the past nine months, including a critical flaw in Siemens STEP 7 TIA Portal that would have permitted remote and unauthenticated root access to a device, as well as the ability to spread malicious code within an ICS.
Apple quietly released an update in response to a vulnerability in Zoom which could allow a website to force a Mac user to join a video call without any input from the user. Zoom reluctantly added ways to remove the feature on Tuesday, but Apple says the patch will protect users who haven't updated Zoom or who have uninstalled the application without removing the local Zoom web server, TechCrunch notes. Zoom describes the measures it took here.
Microsoft fixed seventy-seven flaws on Patch Tuesday, many of them addressing Explorer and Edge (Trend Micro offers a reaction). Adobe patched a relatively light set of flaws, none of them particularly serious. Surprisingly, as ZDNet notes, none involved Flash
Crime and punishment.
An unnamed US defense contractor was induced to send sensitive, highly classified communications intercept equipment worth about $3 million dollars to an international criminal gang. A search warrant request the US Department of Homeland Security filed with the United States District Court for the District of Maryland revealed the details. Homeland Security Investigations asked for Apple iCloud information pertaining to four email accounts of interest.
The criminals were allegedly in email correspondence with a Maryland firm identified in the affidavit only as "Company B." They posed as a US Navy contracting officer, "Daniel Drunz," and used a bogus US Navy email address, "Daniel[dot]Drunz@navy-mil[dot]us," to obtain shipment to parts unknown of export-controlled equipment A genuine US Navy email address would use the domain navy[dot]mil, without the [dot]us. The scammers are being called the Drunz Gang. They made off with more than just the comms intercept gear, too: their take included $6.3 million in televisions and $1.1 million in iPhones and iPads. Those will be a lot easier to fence than the classified equipment, but the Drunz Gang will probably find a buyer for that, too.
Courts and torts.
In the UK, the Information Commissioner's Office this week fined two companies very heavily for data breaches that placed them in violation of GDPR. On Monday the ICO announced its intent to fine British Airways £183.39 million for a data breach that put the airline in violation of GDPR. It's a record fine, which the BBC reports the airline intends to fight, vigorously. The ICO followed that on Tuesday with a notice that it would fine Marriott £99,200,396 ($123 million) for a breach the hotel chain suffered in 2018 as it integrated its Starwood reservation system. The fine amounts to three percent of the chain's annual revenue, one percentage point lower than the maximum allowable fine under GDPR. Marriott, disappointed by the ruling, intends to appeal.
The Wall Street Journal reported late Friday that the US Federal Trade Commission approved a $5 billion settlement in the matter of Facebook privacy missteps.
Policies, procurements, and agency equities.
The US Senate has passed the Securing Energy Infrastructure Act (SEIA), a bipartisan bill that will see the Department of Energy and other agencies look at ways to harden the electric grid by replacing unnecessarily high-tech systems with simpler solutions that are harder to hack, Utility Dive notes.
The Inquirer and others have reported discussions within the US Administration over proposed controls on widespread availability of end-to-end encryption. This interagency discussion has been going on since early in the previous Administration. In general, Justice and especially the FBI have been most hostile to encryption (they worry about their ability to track criminals and terrorists who might "go dark," as the Bureau puts it). State, Commerce, and Defence (including NSA) have been more pro-encryption (in part because of concerns that backdoors introduce weakness into all systems). This isn't new: it's the latest round in the ongoing cryptowars.
A US Navy cyber operator will be nominated to become the next Chief of Naval Operations, the Service's uniformed leader. Vice Admiral Michael Gilday, currently Director of the Joint Staff and formerly head of US Fleet Cyber Command/US 10th Fleet, is a deep selection, Defense News points out: the first three-star picked for the senior billet since Admiral Elmo Zumwalt got the job in 1970.
Fortunes of commerce.
TechCrunch reports that Mozilla won't trust root certificates from UAE-based cybersecurity firm DarkMatter because (as Reuters reports) the company conducted espionage for the UAE government
Labor markets.
A survey by Sophos found that 86 percent of IT departments are suffering from a skill shortage, with 80 percent saying they struggle with recruiting. Two-thirds of the respondents said they lacked the budget to hire the right people and buy the necessary technology. The survey also found that the average IT team spends more than a quarter (26 percent) of its time addressing cybersecurity issues.
Mergers and acquisitions.
On Monday Orange announced that it had closed its acquisition of SecureLink. The acquisition is expected to solidify Orange's position in the European cybersecurity market.
NTT Security has completed its acquisition of application-security shop WhiteHat Security, BusinessWire reports.
Next-generation SIEM company Exabeam has acquired cloud-application security specialist SkyFormation for an undisclosed sum. In addition to SkyFormation's capabilities, Exabeam also gets an office in Israel which it intends to use to pursue talent. Reuters says the acquisition is Exabeam's first.
Zscaler is buying Romanian browser-isolation shop Appsulate for an undisclosed sum, the acquiring company reports.
IBM closed its acquisition of all the issued and outstanding shares of Red Hat for $190 per share in cash, which amounts to a $34 billion valuation. Red Hat will operate as a unit within IBM, which will retain Red Hat's brand, headquarters, and leadership, according to Intelligence Community News. Red Hat's existing partners are being reassured, CRN says, that their arrangements with the company will not be damaged by the acquisition.
Texas-based merchant bank Braes Capital has acquired Siege Technologies from Nehemiah Security. Braes sees Siege, which specializes in cyber research and development for the US Federal market, as one of a projected series of acquisitions that will enable Braes to deliver infrastructure protection services to Federal, energy, and financial services customers. For Nehemiah, the sale represents an opportunity to sharpen its focus on quantifying cyber risk in financial terms (Yahoo).
Motorola Solutions has acquired WatchGuard, which specializes in mobile video systems for law enforcement, a BusinessWire announcement disclosed Thursday. This is at least tangentially related to cybersecurity, particularly in the light of concerns about collecting and preserving evidence in an era of increasingly plausible fakes.
Investments and exits.
NowSecure, specialists in mobile app security, closed a $15 million stock financing round led by ForgePoint Capital, CISO Magazine reports.
Identity and encryption shop DigiCert will receive a "strategic investment" from Clearlake Capital and existing investor TA Associates. The two firms will become equal partners in DigiCert when the deal closes later this year (Olean Times Herald). Financial terms were not disclosed (PEHub). Thoma Bravo, formerly a major investor in DigiCert, has exited its position, AltAssets reports.
TrapX has closed an $18 million funding round, led by Ibex Investors. Earlier backers BRM, Opus Capital, Intel Capital, Liberty Technology Venture Capital, and Strategic Cyber Ventures also participated. CISO Magazine says the San Jose-based deception technology shop will use the investment to expand participation in global markets .
Sometimes customers become investors. That was the case this week for London-based Digital Shadows, which has received a $10 million investment led by NAB Ventures, the investment arm of its customer, National Australia Bank. Digital Shadows intends to use the funds to scale its SearchLight service.
Menlo Security, the Palo Alto-based Internet isolation specialist, has raised $75 million in a Series D round led by "clients advised by JP Morgan Asset Management." According to the company's announcement, existing investors also participating in the round included General Catalyst, Sutter Hill Ventures, Osage University Partners, American Express Ventures, HSBC, JP Morgan Chase, and Engineering Capital.
Prevailion has raised $10 million in a Series A round led by AllegisCyber Capital, with participation by DataTribe. The investment follows Prevailion's receipt of $2 million in a seed-funding competition held last year at DataTribe. The company, which maintains offices in Texas and Maryland, intends to use the new funding for talent acquisition, technical development, sales, and marketing, says Baltimore Business Journal. Prevailion specializes in third-party risk detection, enabling companies to determine which actual or potential partners have been compromised. Their use cases include risk management, incident response, due diligence, and asset management.
GDPR can now plausibly claim to have served as a unicorn incubator. OneTrust, founded two months after the EU enacted GDPR in 2016, is now valued at $1.3 billion. The company specializes in enabling its clients to manage the regulatory risk Europe's privacy regime imposes on them. Forbes reports that OneTrust's $200-million Series A round, announced on July 11th, pushed the Atlanta-based company over the $1-billion valuation threshold. Insight Partners led the investment.
McAfee is readying an IPO as it prepares to take itself public by year's end, according to the Wall Street Journal. Silicon Valley Business Journal says that McAfee hopes to raise $1 billion in the offering
Venture Beat says San Francisco-based TrustArc has raised $70 million in a Series D round led by Bregal Sagemount, with participation by existing investors Accel, Baseline Ventures, DAG Ventures, Icon Ventures, and Industry Ventures. The company intends to use the funding to expand its privacy and compliance offerings.
Silicon Valley-based VC firm YL Ventures has announced a $120 million fund for seed-stage Israeli cybersecurity companies, ZDNet reports.
And security innovation.
ZTE has followed Huawei's lead in the charm offensive designed to reassure European markets about the security and reliability of Chinese-manufactured equipment. ZTE announced its intention of establishing a cybersecurity center in Brussels, according to PCR Online and other sources. "Cybersecurity Lab Europe" will offer opportunities for more external scrutiny of the company's devices. ZTE calls it an important "transparency initiative," SDX Central reports. Both ZTE and Huawei are looking toward positioning themselves for the 5G market.