LookBack malware in US utilities.
Between July 19th and 25th, Proofpoint identified spearphishing emails that hit at least three US companies in the utilities sector. The phishbait lay in the origin of the emails: they arrived from what Proofpoint thinks is an attacker-controlled domain, nceess[dot]com. The domain is designed to be mistaken for one owned by the US National Council of Examiners for Engineering and Surveying. The phish hook was an attached Microsoft Word document weaponized with malicious macros that install a malware package Proofpoint calls "LookBack," a remote access Trojan accompanied by a command-and-control proxy mechanism. The researchers believe there's enough evidence pointing to a nation-state as the actor behind LookBack, but the trail quickly grows cold. There are some overlaps with earlier campaigns associated with China's APT10, but these are insufficient for attribution.
Online card skimming is a growing problem.
Two major industry groups, the PCI Security Standards Council (PCI SSC) and the Retail and Hospitality ISAC, have warned of the rapidly developing threat of online paycard skimming. "Magecart" is the best-known umbrella term for the criminal campaigns that employ this tactic, which has been on the rise since its appearance in 2015. The most common infection vector for the JavaScript sniffers that do the stealing are third-party applications that are widely used by merchants. These typically include advertising scripts, live chat functions, and customer rating features.
Capital One is breached.
Data associated with about 106 million credit card users and applicants, mostly in the United States and Canada, were exposed in a breach said to have been committed by a Seattle-area woman, Paige A. Thompson. Capital One says the compromised data include "names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income." Also exposed were "customer status data, e.g., credit scores, credit limits, balances, payment history, contact information," and "fragments of transaction data from a total of 23 days during 2016, 2017 and 2018." A limited set of US Social Security Numbers (about 140 thousand), Canadian Social Insurance Numbers (about a million), and linked bank account numbers of credit card customers (roughly eighty thousand) were also taken. The Verge has an account of the misconfiguration that made the breach possible, and offers some speculation about the accused hacker's obscure motivation.
Some see the incident as calling cloud security as a whole into question (the Wall Street Journal summarizes this view), but this is surely overstated. Duo Security argues instead that the regular, reliable patching and updating the cloud offers represent an advantage, as does the broad view of threat activity cloud providers offer. But moving to the cloud does involve change, and so old processes and protocols can't simply be assumed adequate to their new environment.
Small plane CAN buses vulnerable to cyberattack.
CISA has distributed a warning about vulnerabilities in small aircraft CAN buses. "An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment." It would be possible to deliver false instrument readings to the pilot, and that could cause the pilot to lose control of the aircraft. The immediate recommendation for mitigation is to restrict physical access to aircraft. The warning is based on research by Rapid7; their report includes a lucid overview of what the CAN bus is.
Dispatches from the Crypto Wars.
The UK's new Home Secretary Priti Patel hosted the Five Country Ministerial this week, at which senior officials from the Five Eyes countries discussed cyber threats and emerging technologies, Reuters reported. Among other things the meeting amounted to a joint salvo in the Crypto Wars. In a column in the Telegraph on Wednesday, Patel argued that end-to-end encryption "hamper[s] our own law enforcement agencies, and those of our allies, in their ability to identify and stop criminals abusing children, trafficking drugs, weapons and people, or terrorists plotting attacks." She objected in particular to Facebook's plans to implement end-to-end encryption in its messaging services. Patel indicated that companies that don't voluntarily assist law enforcement in gaining access to encrypted data could face consequences from the UK's forthcoming online harms regulator, Sky News noted.
Crime and punishment.
Paige Thompson, the accused Capital One hacker, was arrested Monday on a charge of computer fraud and abuse. She is alleged to have gained access to Capital One customer data between March 12th and July 17th of this year. Her point of entry is said to have been a misconfigured firewall, the Wall Street Journal said. The Department of Justice says that Capital One was warned on July 17th by a GitHub user who'd noticed that their customer data had turned up on GitHub. Capital One had stored the data in AWS, and various reports have noted that Ms Thompson is a former Amazon employee, last working there in 2016, but Amazon Web Services do not appear to have been implicated in the breach.
[Update, 8.3.19: A GitHub spokesman offered the following information on the breach: "GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service. The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.”]
This was quick work by law enforcement, as the Washington Post notes. Federal investigators found their task simplified by Ms Thompson's online boasting. Using the nom-de-hack "erratic," she had woofed about herself in Slack, Meetup, and Twitter channels, offering such commentary as, “I’ve basically strapped myself with a bomb vest, [redacted expletive] dropping capitol ones dox and admitting it. Such insouciance sadly left her during an appearance Monday in the United States District Court for the Western District of Washington at Seattle,Washington, where, Bloomberg reports, she "broke down and laid her head on the defense table." If convicted, she faces up to five years imprisonment and a $250 thousand dollar fine. As WIRED observes, Ms Thompson's online communications showed a person struggling with problems with living.
The FBI is sorting out claims in Ms Thompson's posts that she's also hacked other companies, the Wall Street Journal reports, but according to Computing, Amazon thinks those claims are unfounded, or at least that it's found no evidence of other victims.
The IRS is sending letters to 10,000 cryptocurrency holders who may have failed to report their income or pay taxes on transactions involving digital currencies, CNBC notes. The letters explain the recipients' obligations under the law and contain instructions on how to fix past tax filing errors. An IRS news release stated that "taxpayers who do not properly report the income tax consequences of virtual currency transactions are, when appropriate, liable for tax, penalties and interest. In some cases, taxpayers could be subject to criminal prosecution."
Courts and torts.
A High Court decision in the UK sustained the 2016 Investigatory Powers Act's authorization for bulk collection and retention of data by the government. The Court found that the safeguards the Act put in place were sufficient to ensure that bulk collection remained compatible with European human rights law.
The US Federal Trade Commission's recently opened antitrust investigation of Facebook is, for now, concentrating on the social networks' acquisitions. The Wall Street Journals says that investigators are interested in seeing whether Facebook's acquisition of potentially disruptive, smaller rivals formed part of a deliberate strategy to neutralize competitors.
GitHub has restricted developers in Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine from accessing or creating private repositories on its platform, BleepingComputer reports. The company's CEO tweeted that "GitHub is subject to US trade law, just like any company that does business in the US," although he emphasized that he took no pleasure in enforcing the measure. Restrictions are based on user location rather than nationality. GitHub also said that users were prohibited from using proxies and VPNs to bypass the restrictions, although TechCrunch notes that it's not clear how this might be enforced.
The Australian Competition and Consumer Commission (ACCC) on Friday released a 623-page report outlining 23 recommendations concerning regulation for digital platforms, with a particular focus on Google and Facebook, according to TIME. The recommendations include reforming the country's Privacy Act with stronger protections for personal information and stricter penalties for companies that breach the act, and increasing monitoring for anti-competitive practices. The report also calls for investigations into the online advertising market, noting that Google and Facebook combined receive 71% of every AU$100 spent on online ads. ACCC chair Rod Sims told the Guardian that this report didn't advocate for breaking up the companies, although that option could be considered in the future. Sims added that the ACCC's current goal is pursuing five cases involving alleged breaches of competition laws by Google and Facebook.
Policies, procurements, and agency equities.
Robert A. Cohen, who led the US Securities and Exchange Commission's Division of Enforcement's Cyber Unit since its inception in 2017, will be leaving the agency in August after 15 years of service, the SEC announced this week.
Governor John Bel Edwards of Louisiana declared a state of emergency after three Louisiana school districts sustained cyberattacks last week, ZDNet reports. The declaration states that the "severe, intentional cybersecurity breaches" that occurred in the three school systems "may potentially compromise other public and private entities throughout the State of Louisiana."
Fortunes of commerce.
In the press release disclosing the breach it sustained, Capital One summarized the financial costs it expects to incur. "We expect the incident to generate incremental costs of approximately $100 to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support." This, of course, falls far short of exhausting the costs to Capital One. The company's reputation and stock price have taken a hit from the data breach. The Wall Street Journal reports that Capital One's share price dropped almost 6% on Tuesday. MarketWatch puts the hit to the company's market cap at $3.2 billion so far, but they do note that most such scandals eventually blow over.
Cloud backup provider Carbonite's CEO Mohamad Ali is stepping down in order to take over as CEO of International Data Group on August 1st. Carbonite will be led temporarily by its board chairman Steve Munford until the company finds a new CEO, Xconomy reports.
Labor markets.
Boston-based Burning Glass Technologies has taken a look at the cybersecurity labor market and found that the much-reported talent gap persists. Efforts to increase the talent pool are showing some results, but they're basically keeping pace with rising demand, so the gap remains about where it was in 2015.
Mergers and acquisitions.
Reuters reports that BlackRock is in advanced talks to take over Cofense, after the Committee on Foreign Investment in the United States (CFIUS) asked Pamplona Capital Management to sell its 47% stake in the Virginia-based phishing awareness company for undisclosed reasons. According to the Wall Street Journal, Pamplona dragged its feet and failed to find a buyer for its stake by the July 19th deadline, so CFIUS is now threatening to levy daily fines against Pamplona and Cofense until the stake is sold. Several days ago, Pamplona resumed talks with BlackRock, which owns a 30% stake in Cofense.
Radware has told Calcalist that it's actively looking for acquisitions.
TechCrunch reports that Jamf, which specializes in managing Apple systems in the enterprise, has acquired Mac endpoint security start-up Digita Security. It's an augmentation of Jamf's capabilities, and it amounts to an acqui-hire: Digita's five employees now work for Jamf.
VMware has picked up Uhana for an undisclosed amount, ZDNet reports. Uhana is a startup that uses AI to automate network operations.
GoSecure has acquired email-security shop EdgeWave. EdgeWave brings with it some two-thousand customers and two-hundred channel partners.
The Boston Business Journal reports that Everbridge, a critical event management firm, has acquired threat intelligence software provider NC4 for cash and stock valued at $83 million.
Light Reading says A10 Networks is putting itself up for sale. Its founder and CEO is also departing. The company has been seeking to develop a strategy for growth as a 5G security shop.
Investments and exits.
Prevailion has raised $10 million in a Series A round led by AllegisCyber, with participation by previous investor DataTribe. Prevailion provides its customers with confirmed evidence of compromise for both the customers and the customers' partner ecosystem.
Palo Alto-based Confluera has raised $9 million in a Series A round, and has announced the launch of its new Real-time Attack Interception and Defense platform ("RAID"). The funding round (described as "oversubscribed) was led by Ravi Mhatre of Lightspeed Venture Partners, with the participation of other industry partners, SecurityWeek reports.
Solana, which bills itself as the blockchain built for speed, has raised $20 million in a Series A round. The company intends to use the money in developing its platform. CoinDesk says that the investment was led by Multicoin Capital, with participation by Distributed Global, Blocktower Capital, Foundation Capital, Blockchange VC, Slow Ventures, NEO Global Capital, Passport Capital, and Rockaway Ventures. An interesting wrinkle: the investors received SOL tokens and not equity.
Truework, based in San Francisco and offering cloud-hosted identity verification solutions, raised $12 million in a Series A round. VentureBeat reports that Sequoia Capital led the investment, with participation by Stanford University and existing investors Khosla Ventures, Menlo Ventures, and Founder Collective.
Altitude Networks, which specializes in security for cloud collaboration, has raised $9 million in Series A funding. Felicis Ventures led the round. The Slack Fund, previous investor Accomplice, and personal investor Alex Stamos (formerly of Facebook, now of Stanford University) also participated.
Maryland-based Trinity Cyber emerged from stealth on Monday with a $23 million investment from Intel Capital and other investors. Trinity Cyber offers a SaaS solution that monitors all traffic entering and exiting a client's network in order detect and disrupt cyberattacks as they occur, according to VentureBeat. The company's management team includes former Homeland Security Advisor Tom Bossert.
DataGrail, a company that provides a platform for data privacy compliance, has raised $5 million in a funding round led by Cloud Apps Capital, along with Basis Set Ventures and Okta Ventures. The round puts the company's total funding at $9.2 million).
Israel-based railway cybersecurity company Cervello has raised $4.5 million in a seed funding round led by North First Ventures and Awz Ventures, with participation from Nissim Bar-El, SecurityWeek reports.
FanDragon Technologies has raised $12 million in funding from unnamed investors, according to the Los Angeles Business Journal. The startup will provide software that uses a blockchain to ensure secure and legitimate ticket delivery for companies and events.
The next major IPO could be Cloudflare, which Crunchbase News says is quietly preparing to go public.
And security innovation.
Swiss startup accelerator Kickstart announced the forty-eight tech startups that have been selected for its fourth innovation program in Zurich. Some of the companies in this class are decepeton technology shop Illusive Networks, predictive cyber risk modeling firm Kovrr, automated breach and attack simulation provider XM Cyber, supply-chain security assessment provider CyNation, ICS, OT, and IoT security company Enigmedia, and data anonymization company Statice.
Australia's innovation center, Data61, is looking for a new CEO. ZDNet reports that Adrian Turner is moving on to found a new venture.