We're pleased to announce our new subscription program, CyberWire Pro, launching early in 2020. For cyber security professionals and others who want to stay abreast of our rapidly evolving industry, CyberWire Pro is a premium news service that will save you time as it keeps you informed. Learn more and sign up to get launch updates here.
Join Dragos and CrowdStrike on December 17 for a 30 minute webinar discussion about the unique challenges in IT and OT environments. Hear how to improve your ICS security posture, address the OT skills gap and get better visibility of potential attacks. Register today.
Iranian groups deploy a new wiper.
IBM X-Force discovered a new strain of wiper malware after it was used in targeted destructive attacks against energy and industrial organizations in the Middle East. The malware, which X-Force calls "ZeroCleare," displays similarities to Shamoon, and the researchers believe it was developed and deployed by multiple Iranian threat actors working together. One of these groups seems to be APT34 (also known as OilRig), and X-Force says that despite NSA and GCHQ's recent warning that the Russian group Turla had access to APT34's infrastructure, the ZeroCleare campaign doesn't appear to be a false flag operation.
China fires its Great Cannon.
Endpoint security, firewalls, VPNs, authentication systems… we’ve all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out? The unfortunate reality is that each of these security layers can provide hackers with a back-door right into your organization. And in this exclusive webinar Kevin Mitnick is going to show you how.
Cyberattacks against nuclear power companies.
The Telegraph reports that the UK’s National Cyber Security Centre has been discreetly assisting a nuclear power company with its recovery from a cyberattack it sustained earlier this year. The nature of the attack is unknown, as is the identity of the targeted company. A Nuclear Decommissioning Authority report obtained by the Telegraph simply referred to the victim as "an important business in the Nuclear Power Generating Sector."
In a separate event, the International Business Times reports that North Korea's Lazarus Group was seeking information on Thorium-based nuclear reactors when it reportedly hacked into the IT systems of India's Kudankulam nuclear facility.
PyXie RAT delivered by Tetris, among other things.
Blackberry Cylance researchers have published an analysis of a remote access Trojan they’ve named “PyXie.” The malware is written in Python and has been active since at least 2018. PyXie is currently being used in a campaign targeting “a wide range of industries,” and has been seen delivering ransomware to organizations in the healthcare and education sectors. The researchers have also seen cases in which a malicious version of an open-source Tetris game was used as a loader to deliver PyXie. PyXie’s capabilities include man-in-the-middle attacks, web injection, keylogging, network scanning, credential harvesting, data exfiltration, video recording, and more.
The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic. Through a partnership with the CyberWire, each of CyBOK's knowledge areas will be featured in its own podcast. The first few episodes are available on your favorite podcast app. Visit the website to learn more.
China uses traditional espionage to acquire quantum technology.
Security startup Strider published a report outlining how China has exploited quantum research labs in the US, the UK, Germany, and Switzerland. The report says China had "unwritten agreements" with Chinese scientists that were sent to study at leading research institutions in the West. These scientists had agreed to return to China afterward and "collaborate with Chinese state-owned defense companies to develop military applications for quantum technologies." Among the universities penetrated in the US were MIT, the University of Colorado and Louisiana State University, while the European institutes included Heidelberg University, Vienna University, Cambridge University, and the University of Geneva.
The scientists returned to the University of Science and Technology of China (USTC) and helped Chinese government-owned defense companies develop "stealth aircraft detection with quantum radar, submarine detection with a quantum magnetometer, and unbreakable encryption with satellite-earth quantum key distribution."
The 6th Annual Cybersecurity Conference for Executives, hosted by The Johns Hopkins University Information Security Institute and Ankura, will be held on Wednesday, March 25th, in Baltimore, Maryland. The theme is cybersecurity risk management, and the conference will feature discussions with thought leaders across a variety of sectors. Join the discussion and learn how to address the top risks within your organization.
Sprint contractor exposes mobile customers' data.
A contractor working for US mobile provider Sprint exposed more than 261,000 mobile phone bills belonging to AT&T, Verizon, and T-Mobile subscribers, TechCrunch reports. The data were stored in an AWS bucket without a password. The contractor had bills from Sprint’s competitors because Sprint offers to pay its customers’ early termination fees if they break a contract with their service provider in order to switch to Sprint.
The documents included names, addresses, phone numbers, and, in many cases, call histories. TechCrunch identified the company responsible—Deardorff Communications—and contacted its president, Jeff Deardorff, who said he "[has] launched an internal investigation to determine the root cause of this issue, and we are also reviewing our policies and procedures to make sure something like this doesn’t happen again."
MacOS Trojan bears similarities to Lazarus Group's AppleJeus.
A new Trojan designed for MacOS appears to belong to North Korea's Lazarus Group, Naked Security reports. Security researcher Patrick Wardle noted similarities to other strains of Lazarus Group malware, particularly AppleJeus. This new strain is fileless, and can download and execute additional payloads while residing in the infected system's memory. The malware is distributed from a website posing as a cryptocurrency trading platform. BleepingComputer says it appears to be first-stage malware, as it doesn't seem to do anything on its own besides collecting system information and contacting a command-and-control server. Its goal is probably stealing cryptocurrency, which is in keeping with Lazarus Group's history of conducting financially motivated attacks.
Check out “Caveat,” the CyberWire's newest weekly podcast addressing cybersecurity law and policy, with a particular focus on surveillance and digital privacy. This podcast is hosted by our own Dave Bittner and Benjamin Yelin, Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security. Each week, Dave and Ben break down important current legal cases, policy battles, and regulatory matters along with the news headlines that matter most. Have a listen.
DHS updates its list of top vulnerabilities.
The Department of Homeland Security updated its list of the top twenty-five most dangerous software vulnerabilities for the first time in eight years. While the previous version of the list was formulated based on interviews and surveys of experts in the industry, DHS says the list was updated using a “data-driven approach based on real-world vulnerabilities reported by security researchers.” The number one vulnerability is now “Improper Restriction of Operations within the Bounds of a Memory Buffer,” while the previous top weakness, SQL injection, moved down to number six.
Android's batch of December updates contains a patch for a critical denial-of-service bug, according to Naked Security. Google warned that an attacker could exploit the flaw by sending a message that would cause a "permanent" denial-of-service for the targeted device. It's not clear what Google means by "permanent," but Naked Security wisely points out that "users won’t want to find out the hard way."
Crime and punishment.
The US Justice Department on Thursday charged two Russian citizens, Maksim Yakubets and Igor Turashev, for developing and distributing the Dridex banking Trojan. The DOJ names Yakubets as the leader of a criminal group called "Evil Corp." The UK's National Crime Agency (NCA), which closely assisted in the investigation, said Evil Corp "represents the most significant cyber crime threat to the UK." The charges come as the result of collaboration between the NCA, Britain's NCSC, and the US FBI. The US State Department announced a $5 million reward for information leading to Yakubets's arrest. ZDNet notes that this makes Yakubets the top-ranked hacker on the FBI's most wanted list, easily overtaking the $3 million reward offered for Evgeniy Mikhailovich Bogachev.
Also on Thursday, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued sanctions against nine members of Evil Corp, six entities linked to the group, and eight individuals who served as “financial facilitators” for the cybercriminals. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) released an alert with technical details on Dridex.
An Ethereum Foundation staff member, Virgil Griffith, was arrested by the US government on Friday and charged with violating US sanctions against North Korea. Griffith presented at a cryptocurrency conference in Pyongyang, despite being denied permission to do so by the US State Department. The government says Griffith's presentation "provided the DPRK with valuable information on blockchain and cryptocurrency technologies, and participated in discussions regarding using cryptocurrency technologies to evade sanctions and launder money."
An international law enforcement operation led by the Australian Federal Police (AFP) resulted in the arrests of thirteen prominent users of the Imminent Monitor remote access Trojan, Europol announced. Imminent Monitor was cheap, easy-to-use, and effective, which made it an extremely popular criminal tool. Imminent Monitor’s website was also taken down, and the malware’s nearly fifteen-thousand buyers have lost access to licensed versions of the Trojan. The AFP said it launched the investigation in 2017 based on a referral from the FBI and Palo Alto Networks' Unit 42. Unit 42 has a write-up of how they identified Imminent Monitor's developer.
Courts and torts.
Huawei on Wednesday filed a challenge against the FCC's order barring US telecoms that receive Federal subsidies from buying equipment from Huawei or ZTE, the Washington Post reports. The company also filed three defamation claims in France against a researcher, a journalist, and a telecommunications expert, each of whom alleged that Huawei was controlled by the Chinese state and was using its telecommunications equipment to conduct espionage, according to Bloomberg.
Four former Google employees are filing charges of unfair labor practices against Google, claiming the company fired them for workplace organizing. A Google spokesperson told Vox in response that "[w]e dismissed four individuals who were engaged in intentional and often repeated violations of our longstanding data security policies, including systematically accessing and disseminating other employees’ materials and work. No one has been dismissed for raising concerns or debating the company’s activities." The four employees say the company's assertion is "flatly untrue."
NSS Labs dismissed without prejudice the antitrust complaint it had filed against CrowdStrike, Symantec, ESET, the Anti-Malware Testing Standards Organization (AMTSO), and Does 1-50. NSS Labs's CEO Jason Brvenik said that "during the past year, AMTSO has made progress to be more fair and balanced in its structure, vendors have shown progress in working with testing organizations, and the market itself has had significant change and notable acquisition activity."
Facebook filed a lawsuit against a Chinese advertising company that allegedly used malware to compromise Facebook users' accounts and then used those accounts to host ads for counterfeit products. According to Threatpost, Facebook paid more than $4 million to reimburse the users whose accounts had been compromised.
Policies, procurements, and agency equities.
France's national cybersecurity agency ANSSI is considering striking back at the hackers who launched a ransomware attack against a Rouen hospital in mid-November, according to Bloomberg. The Russian criminal group TA505 is suspected to be behind the attack. ANSSI's Director General Guillaume Poupard said the group was looking for more targets in France, and that "[t]he French law allows us to be active against the attacker, to neutralize it."
The US Senate is publicly debating a Federal privacy bill, TheHill notes. The two primary areas of contention relate to whether such a law would override state privacy laws and whether it would allow individuals to sue companies that violated their privacy. Republicans support the former policy, while Democrats support the latter, and both parties disagree with the other's position. During a hearing on Wednesday, TheHill says, the parties seemed to make a modicum of progress toward a bipartisan solution for a national privacy law, but this legislation is almost certainly a long way off, assuming it's feasible at all.
The US Commerce Department last week laid out its plan to enforce President Trump's executive order prohibiting US telecommunications companies from using equipment from companies deemed to be national security risks, Reuters reports. Secretary of Commerce Wilbur Ross will take a "case-by-case, fact-specific approach to determine which transactions must be prohibited, or which can be mitigated." Ross will have the final decision on which countries, companies, and transactions pose a threat to national security.
The US Army is reviewing whether the China-based app TikTok presents security or intelligence risks, CNBC reports.
Russia passed a law banning any computing device that doesn't come pre-installed with locally developed software, the BBC reports. The law doesn't restrict devices from running foreign software, but they'll have to run Russian alternatives out-of-the-box. The law's authors say this will help Russian software companies and make it easier for Russians to use their devices, but critics worry that the law will be used to increase surveillance, since the Russian government is responsible for determining which software must be installed. The law comes into effect in July, 2020.
The Chinese government now requires anyone buying a SIM card in China to undergo a facial recognition scan, Computing notes.
Fortunes of commerce.
Google co-founders Larry Page and Sergey Brin are leaving their respective roles as CEO and president of Alphabet, and Sundar Pichai will become CEO of both Google and Alphabet.
MIT Technology Review reports on Hacking Team's efforts to reinvent and revive itself following a disastrous data breach in 2015 and the cultivation of a generally poor reputation. The company was acquired in March by Milan-based InTheCyber, which combined Hacking Team with InTheCyber's research and development unit to form a new company, Memento Labs. Memento Labs is now selling RCS X, a revamped version of Hacking Team’s Remote Control System (RCS) surveillance tool.
Mergers and acquisitions.
Investments and exits.
Sweden-based website vulnerability scanning company Detectify has closed a $23 million Series B round led by Balderton Capital, with participation from existing investors Paua Ventures, Inventure, and Insight Partners, according to Toolbox.
Spanish cybersecurity company Buguroo has raised $11 million in a Series A funding round led by Ten Eleven Ventures and Seaya Ventures, with participation from existing investors Inveready Technology Investment Group and Conexo Ventures.
South Korea-based email security company SecuLetter received $6 million in a Series B funding round from Riyadh Valley Company (RVC) and the Korea Development Bank (KDB Bank), along with existing investor, the Korea Investment Partners.
Israel-based breach and attack simulation platform provider Cymulate has secured $15 million in a Series B funding round led by Vertex Growth Fund, with participation from existing investors Vertex Ventures Israel, Dell Technologies Capital, and Susquehanna Growth Equity (SGE).
Palo Alto, California-based data behavior analytics provider Cyberhaven closed a $13 million Series A round co-led by Vertex Ventures and Costanoa Ventures, with participation from Crane Venture Partners.
Today's issue includes events affecting Australia, China, France, Germany, India, Iran, Israel, Democratic People's Republic of Korea, Republic of Korea, Russia, Spain, Sweden, Switzerland, United Kingdom, and United States.
Research Saturday is up. In this week's episode, "Targeting routers to hit gaming servers," we hear from researchers at Palo Alto Networks' Unit 42, who have outlined attacks on home and small-business routers. These attacks take advantage of known vulnerabilities to incorporate the routers into botnets, which are ultimately used to attack gaming servers. Jen Miller-Osborn is Deputy Director of Threat Intelligence for Palo Alto Networks' Unit 42, and she joins us to share their findings.