Tracking a distinct population: China's surveillance of its Uyghur minority.
Let us begin with a quick review of a story that broke a week ago, because it's continued to develop. We saw last week that Google's Project Zero had released details of its research into a quiet, sustained watering-hole campaign against iPhone users. They found five distinct exploit chains in use by the attackers. "There was no target discrimination," Google's blog said, "simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week." Apple patched the zero-day vulnerability back in February that the campaign had exploited. Google notes that this is just one campaign, and "there are almost certainly others."
These reports were amplified over this past weekend. Forbes reported that the attacks also affected Android and Windows systems. There was speculation at the time of the initial reports that the attacks, which in Google's account seemed relatively indiscriminate, were in fact intended to target specific groups. It now appears, according to TechCrunch, that the attackers were Chinese security services, and the targets were China’s predominantly Muslim Uyghur minority.
Those same security services, Reuters said at week's end, have also compromised telecommunication network in several Asian countries with a view to keeping track of the activities of Uyghur travelers abroad.
APT3 and EternalRomance
Other notes on Chinese activity focus on what appears to be a systematic effort to turn leaked Equation Group tools to Beijing's operational advantage. A Check Point study of China's Buckeye group (also known as APT3 or UPS team) has followed up earlier work by Symantec and taken a look at Buckeye's Bemstour tool. Check Point concludes, with appropriate reservations about the inevitable uncertainty of such assessments, that Bemstour has adapted the Equation Group's EternalRomance exploit to its own purposes. As the researchers put it in their conclusion, "attack artifacts of a rival (i.e. Equation group) were used as the basis and inspiration for establishing in-house offensive capabilities."
More on Stuxnet, and how Natanz was attacked.
A report in Yahoo News offers details on the Stuxnet attack against Iran’s Natanz uranium enrichment plant. The authors, Kim Zetter and Huib Modderkolk, say that the US CIA and Israel’s Mossad approached the Netherlands intelligence service AIVD, which had an asset close to Iran’s nuclear program. According to the story that asset (described as a “mole” who had been trained as an engineer) was able over a protracted period of time to deliver the Stuxnet attack code via USB to the air-gapped centrifuge controllers at Natanz.
While the principal cooperating intelligence services were American, Israeli, and Dutch, the German, French, and British services are also said to have participated. The agent on the ground is reported to have provided the American and Israeli services with the technical information necessary for precision targeting: Stuxnet was intended for the controllers at Natanz only, not for any of the many other users of Siemens programmable logic controllers around the world.
The Dutch service became interested in Iran’s nuclear program when rogue Pakistani physicist Abdul Qadeer Khan stole centrifuge designs from a Dutch company in the 1970s, used them in Pakistan's nuclear program, and then sold them to other aspiring nuclear states, including Libya, Iran, and, probably, North Korea. AIVD infiltrated A.Q. Khan’s supply network, which for the most part consisted of European consultants and front companies. It also succeeded in hacking email systems used by Iran’s nuclear weapons program. Thus they had assets in a position to help when friendly powers asked for assistance.
North Korea to the world: we didn't do it.
Reuters reports Pyongyang's reaction to a report prepared for the United Nations' Security Council that found the DPRK heavily involved in cybercrime, particularly raids on banks and cryptocurrency exchanges. The report suggests that the cyber crimewave netted North Korea some $2 billion, most of it earmarked for the country's nuclear weapons and ICBM programs. It's a provocation, the DPRK says. "Hostile forces" are spreading "ill-hearted rumors," and the United States is at the bottom of the conspiracy. “Such a fabrication by the hostile forces is nothing but a sort of a nasty game aimed at tarnishing the image of our Republic and finding justification for sanctions and pressure campaign against the DPRK.”
Ransomware foreshadows attacks on US elections?
Ransomware attacks against US local governments continue to surge. Schools in Orange County, New York, for example, delayed the opening of school this week as they deal with a ransomware infestation, CBS Local says.
The wave of attacks is drawing attention to a Russian criminal gang, StateScoop reports. CrowdStrike calls the gang "Wizard Spider," best known for its operation of TrickBot. The group has a sub-gang, "Grim Spider," which has been associated with Ryuk ransomware.
Ransomware seems to be shaping a complicated bandit economy. Emsisoft thinks there's a good chance that extortionists' preference for payment in alt-coin has driven a rise in the value of Bitcoin. Pro Publica has argued that insurance companies themselves contribute to this section of the criminal economy by pushing clients to pay ransom, which can be cheaper for the underwriters than covering unransomed losses. As BankInfo Security points out, experts remain skeptical that the criminals actually look for insured targets to hit, but bandits do respond to their own market forces.
The head of NSA's Cybersecurity Directorate, Anne Neuberger, said Wednesday at the Billington CyberSecurity Summit that ransomware represents an "interesting" threat to upcoming US elections. TheHill quotes Neuberger as saying ransomware will be a "focus" of her Directorate during the election cycle. Emsisoft thinks extortionists are choosing targets likely to pay. An IBM study concludes that taxpayers oppose paying.
Deep fakes for the lulz.
Zao, an app that went viral at the end of last week, enables users to put their faces onto the bodies of actors in movies, video, and so on. Zao was available only to users with Chinese phone numbers, but reporters at the Guardian and the Telegraph saw enough to be spooked, and to have convinced their editors that this is the deep fake platform that everyone's been so worried about. It's become an overnight sensation in China, where a lot of people apparently want to see themselves in the movies and on the TV.
There's also been a backlash, however, and CNN reports that Zao has pulled in its horns a bit. Part of the concerns are legal, or at least reputational. Zao's terms of service gave it rights in perpetuity to pictures of people who uploaded their images to its service, and as much as people may have wanted to put their head on Charlie Sheen's or Lindsay Lohan's body to virtually disport themselves on the small screen, they didn't like the idea of rendering themselves up to Zao. "This is a new product. We were indeed inconsiderate about people's core concerns," Zao apologized.
Phishing proof-of-concept: over-the-air provisioning.
Check Point warns that Android devices could be hit by an advanced phishing technique that exploits the over-the-air provisioning carriers use to bring new phones onboard. The weakly authenticated SMS messages are readily spoofed. Check Point notes that the industry standard for over-the-air provisioning, Open Mobile Alliance Client Provisioning, offers limited authentication methods that can make it difficult for someone setting up their service to determine whether the settings a message suggests come from the legitimate network provider or from some imposter. For now it’s a Check Point proof-of-concept, but it offers mobile users something to think about.
Crime and punishment.
According to CyberScoop, Paige "erratic" Thompson pleaded not guilty to all charges brought in connection with the Capital One hack.
The Washington Post reports that Jeremy Hammond, a former member of Lulzsec serving time for his 2013 conviction of violating the Computer Fraud and Abuse Act in connection with the hacking of Stratfor and the subsequent release of stolen documents to Wikileaks, has been transferred to Virginia, presumably to testify before a Federal grand jury considering charges against Wikileaks impresario Julian Assange. Mr. Assange is serving a jail sentence in the UK and fighting extradition to the US,
The US Attorney for the Southern District of California has filed charges against four employees of an email advertising company. KrebsOnSecurity says that the four accused, employed by Adconion Direct, allegedly hijacked IP addresses for use in email advertising campaigns. The prosecutors maintain that the four accused inveigled an Internet hosting firm, Hostwinds, into routing the IP addresses on their behalf. Krebs also says that the Government appears to have had Adconion's email practices under investigation since 2015 at least, and that the charges just filed may be the opening round in a wider prosecution.
The Feds got a guilty plea from one Kenneth Schuchman, who copped to involvement in the Satori botnet. The Register calls Mr. Schuchman, who’s just a tender twenty-one years of age, a “script kiddie.” Their unkind lede is "One moron down, two to go."
Courts and torts.
The US Federal Trade Commission and Google have agreed to a $200 million dollar settlement over abuses of children's privacy that took place on YouTube, the Wall Street Journal reports. This is an order of magnitude larger than what the FTC hit Google with during their last engagement, although the $5 billion the Commission exacted from Facebook does make Mountain View's fine look like chickenfeed.
Huawei alleged this week ("without evidence," as the New York Times puts it) that the company has been the victim of a US Government campaign of hacking and harassment of its employees.
The Wall Street Journal reported Friday morning that state attorneys general are opening antitrust investigations of Facebook. New York’s Attorney General is leading this effort, to be joined by Colorado, Florida, Iowa, Nebraska, North Carolina, Ohio, Tennessee, and the District of Columbia. On Monday it’s expected, the Journal says, that Texas will announce that it and some three-dozen other states are opening an investigation of Google.
Policies, procurements, and agency equities.
The US Department of Defense issued a draft of Version 0.4 of its Cybersecurity Maturity Model Certification (CMMC). Comments are open until September 25th. The CMMC establishes cybersecurity standards for Defense contractors. A revised draft is expected in November of this year.
It's clear that the 2020 US elections will be the first big test of the Department of Homeland Security's youngest agency. At the 10th annual Billington CyberSecurity Summit this week, Christopher Krebs, Director of the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, discussed his agency's vision. CISA has, he said, five principles of execution and two goals. The principles include operating with the statutory authority to collaboratively lead critical infrastructure protection, staying "results-driven" and "risk-focused," working conscientiously within the framework of Constitutional rights and national values, and "executing and engaging as one agency, in one fight, as one team."
CISA's goals are to "defend today" and "secure tomorrow." The agency's priorities include securing government networks (and this includes rendering appropriate support to state and local governments), securing elections, protecting soft targets and crowded places, and defending industrial control systems. "In 2020, we're going to lead," Krebs concluded, returning to the central challenge of election security. "We're not going to let the Russians or the Chinese in."
Ciaran Martin, CEO of the UK's National Cyber Security Centre, also spoke at the Billington Summit. We find ourselves, Martin argued, defending open, digital societies. Prosperity is a social concern, and critical infrastructure presents a serious national risk. Cyber security is at base about defending a way of life. We face a formidable set of adversaries. Russia is a determined, aggressive, disruptive opponent. Our commercial environment today is one in which our businesses are under routine, continuous Chinese assault. North Korea and Iran are active and implacably hostile. Transnational cybercrime has become, cumulatively, a grave threat to the digital economy. And state actions have come to have serious collateral effects quite apart from the effects they're designed to have on their intended targets. And it's worth noting that none of the four state bad actors or the criminal gangs have any particular stake in an open, reliably useful Internet.
Operating in this world has led Martin to three conclusions. First, "Government matters." The Internet is a public good, but well-intentioned calls for public-private partnership have proven, he argued, “a recipe for inaction.” Instead, governments should take responsibility for detection, resilience, and making technology safer. That third responsibility he emphasized. It’s too easy, Martin said, to succumb to what he called “producer capture,” the sort of Hobson’s choice of security design big companies in his view too often offer their customers. Second, we must "think carefully about our own footprints." Cyberspace may be an operational domain, but fundamentally it's a peaceful domain, and we must, he argued, act in cyberspace with this in mind. Finally, governments need to look to the future, and that means looking for effective deterrence.
Fortunes of commerce.
Vietnamese telecom carriers have decided to forego Huawei equipment for the country's 5G networks. They've decided that Huawei presents them with an unacceptable security risk, the Nikkei Asian Review reports.
Mergers and acquisitions.
The US Federal Trade Commission has granted Broadcom early termination of the required Hart-Scott-Rodino waiting period in its acquisition of Symantec's enterprise business.
With plans to give customers more insight into their enterprise applications, Splunk is buying Omnition for an undisclosed sum, ZDNet reports. Omnition, a software-as-a-service start-up, will bring Splunk "more than a dozen engineers with significant expertise in tracing and observability."
SecurityWeek says that Palo Alto Networks is buying IoT security shop Zingbox for $75 million in cash. Palo Alto intends to integrate its acquisition's technology into its Next-Generation Firewall and Cortex platforms.
Investments and exits.
According to Bloomberg, Palantir is believed to be delaying its long-anticipated IPO until 2022 or 2023 as it pursues additional private investment.
New York-based privacy start-up BigID has received a $50 million Series C round, TechCrunch reports. The company intends to offer a platform that combines data discovery, classification, and correlation, all in the service of privacy and compliance. Bessemer Venture Partners led the round, with participation by Comcast Ventures, SAP.io Fund, Boldstart Ventures, Scale Venture Partners, ClearSky, and Salesforce Ventures.
Coindesk reports that Elliptic, a blockchain forensics firm that traces suspicious transactions in the blockchain, has raised a $23 million Series B round led by SBI Investment, with participation by AlbionVC, SignalFire, Octopus Ventures, and Santander Innoventures. Tokyo-based SBI intends to deploy Elliptic's technology across its own enterprise.
Bot-mitigation shop PerimeterX has increased its Series C round to $57 million. The company intends to use the investment to enhance its web application platform and accelerate its go-to-market push. Deutsche Telekom Capital Partners and Salesforce Ventures provided the additional investment.
And security innovation.
Maryland-based DreamPort, whose mission is the incubation of innovative cybersecurity technologies for the US Government, will double its physical facilities this fall, Technical.ly Baltimore reports.