By the CyberWire staff
Phosphorus targets the US presidential election.
Microsoft has identified "significant cyber activity" by the threat group it calls "Phosphorus" (also known as APT35 or Charming Kitten), which is linked to the Iranian government. Redmond saw the group make more than 2,700 attempts to identify email accounts belonging to personnel "associated with a U.S. presidential campaign, current and former U.S. government officials, journalists, and prominent Iranians living outside Iran." Phosphorus launched attacks against 241 of the identified accounts, of which four were compromised.
Reuters reports that the presidential campaign that was targeted was President Trump's re-election campaign. Microsoft stressed that the four compromised accounts didn't belong to presidential campaign personnel or US government officials.
The attacks primarily involved using information about the targets to try and exploit password reset and account recovery features. These activities weren't technically advanced, but Microsoft says the attackers "attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks," which "suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering."
Those commenting on the Iranian campaign have observed that Tehran has apparently learned from Moscow’s playbook. This seems correct with respect to Iran's understanding of the new possibilities social media open up for information operations: false personae, amplified messaging, compromise of influential accounts, and so on. But in other respects the campaign differs from those that have emanated from Russia. Russian influence operations have tended to have simple disruption as their aim, with the strategic objective being to widen pre-existing fissures and exacerbate mistrust in the societies they target. Such purely negative objectives would seem easier to achieve than influencing a society or its leaders in a particular direction, which is what Tehran seems interested in. In this respect the Iranian style in influence operations resembles China’s more than it does Russia’s. Iran's strategy and operational art were characterized at an NSA media roundtable this Thursday as aggressive, willing to be destructive, and focused closely on achieving regional objectives.
The US Senate Intelligence Committee reports on Russian election influence operations.
The US Senate Intelligence Committee has issued the second volume of its report, "Russian Active Measures Campaigns and Interference in the 2016 U.S. Election." The St. Petersburg-based Internet Research Agency was the focus of the Committee’s study. They found that its operations were directed by the Russian government, and that its messaging was overtly supportive of then-candidate Trump.
It also found that Russian social media operations were overwhelmingly concerned with race, with African-Americans disproportionately addressed. The goal of the information effort was, substantially, to increase mistrust along fissures in American society. The troll farmers’ activity actually increased after Election Day. "Instagram activity increased 238 percent, Facebook increased 59 percent, Twitter increased 52 percent, and YouTube citations went up by 84 percent," the Committee found.
Senator Richard Burr, Republican of North Carolina, who chairs the Select Committee on Intelligence, summarized: "By flooding social media with false reports, conspiracy theories, and trolls, and by exploiting existing divisions, Russia is trying to breed distrust of our democratic institutions and our fellow Americans.”
Work with the world’s experts in Dark Web analysis.
Based on years of law enforcement and military experience plus current work with international agencies, ReSecurity’s Hunter Unit pulls and analyzes the best data and delivers it in the most actionable format. We provide human-curated, in-depth analysis layered on top of the most comprehensive, exclusive sets of data from the Deep and Dark Web.
Reductor RAT marks TLS traffic.
Kaspersky researchers describe a type of malware dubbed "Reductor," which they've tentatively attributed to the Russian-linked APT Turla based on the malware's targeting and sophistication. Reductor is a remote access Trojan that has the ability to manipulate digital certificates and mark outbound TLS traffic using an "ingenious" technique. The malware uses an embedded Intel instruction length disassembler to modify the pseudo random number generator (PRNG) functions used by Chrome and Firefox browsers to create the 'client random’ sequence at the start of the TLS handshake. The PRNG functions are modified to add unique hardware and software-based identifiers for each victim to the 'client random' field, allowing the attackers to mark TLS traffic without actually interacting with the packets. The researchers believe the traffic is marked to assist in sorting out victims' traffic in man-in-the-middle attacks.
Reductor was developed by the same crew responsible for the COMpfun Trojan, which Kaspersky has also linked to Turla, and it's targeting users in Russia and Belarus. The researchers found that Reductor is spread by "either infecting popular software distributions...or its decryptor/dropper is spread using COMpfun’s ability to download files on already infected hosts." It's able to infect software distributions because the attackers "have some control over the target’s network channel and could replace legitimate installers with infected ones on the fly."
Attor cyberespionage campaign active for years.
Researchers at ESET have discovered a cyberespionage platform they've named "Attor" that's been used to go after "privacy-concerned targets" since at least 2013. The malware possesses "a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM devices." ESET says the espionage campaign is highly targeted, and most victims are located in Russia. Other countries affected include Ukraine, Slovakia, Lithuania, and Turkey.
The researchers haven't identified the initial infection vector, and they believe there are additional plugins for the malware that haven't been discovered yet. They conclude that this is a highly sophisticated effort and it's "well worth further tracking of the operations of the group behind this malware."
Free ICS Webinar: Threat Intelligence Explained, Examined & Exposed
Join Dragos and the CyberWire on October 22 to hear how threat intelligence can help your organization reduce risk by improving detection, response and prevention of critical infrastructure. We’ll share real world insights from hunting some of the most sophisticated threats and cover vulnerable assets that need protection. Register today.
Mustang Panda.
Anomali warns of ongoing activity by the Chinese-linked APT Mustang Panda. Based on the phishing lures they've observed, the researchers believe the campaign's primary target is the Communist Party of Vietnam, with additional focus on people interested in UN Security Council resolutions regarding ISIL, MIAT Mongolian Airlines, the non-profit China-Zentrum e.V., Shan Tai Theravada Buddhists, and a number of countries including Germany, Mongolia, Myanmar, Pakistan. Anomali believes the lures concerning UN Security Council resolutions may be "indicative of think-tank targeting." The documents delivered either the penetration testing tool Cobalt Strike Beacon or the remote access tool PlugX.
Mustang Panda has been tracked by CrowdStrike since April 2017, and Anomali says some of the documents in this campaign appear to date back to October 2017.
US companies criticized for caving to Beijing.
Several US companies and organizations have drawn criticism for capitulating to Chinese pressure with regard to the Hong Kong protests. Apple removed an app that tracked the locations of Hong Kong police and protesters following criticism from a Chinese state newspaper, Reuters reports. According to Quartz, Apple said in a statement that, according to the Hong Kong Cybersecurity and Technology Crime Bureau, "the app has been used to target and ambush police, threaten public safety, and criminals have used it to victimize residents in areas where they know there is no law enforcement." In a separate move, Apple removed the Quartz news app from its App Store in China after the Chinese government deemed the publication illegal, the Verge notes.
The NBA also received criticism from a bipartisan group of US Senators and Representatives after the professional basketball league apologized to China for a tweet by the general manager of the Houston Rockets, Daryl Morey, which expressed support for the Hong Kong protests. The Congressional criticism was decidedly bipartisan, uniting even Republican right and Democrat left.
Likewise, California-based video game publisher Blizzard Entertainment banned a professional Hearthstone player from tournaments and revoked $10,000 in prize money over the player's support for the protests. Forbes notes that Blizzard hasn't made an official statement on the measure, but the Daily Beast reports that many of the company's employees aren't happy about the decision.
Try cloud-native network detection and response for free!
ExtraHop Reveal(x) Cloud is SaaS-based NDR for AWS, giving you complete visibility, real-time detection, and automated threat response in the cloud. Request your free 30-day trial today.
Patch news.
Signal promptly fixed an eavesdropping flaw that could have allowed someone using a modified version of the app to force someone's device to answer a call without user interaction. According to Naked Security, the bug was patched on Android and iOS the same day it was reported.
Microsoft patched sixty flaws for October's Patch Tuesday, only nine of which were deemed critical. Adobe had none. KrebsOnSecurity calls it a "relatively light patch batch."
Crime and punishment.
US Defense Intelligence Agency analyst Henry Frese has been charged with two counts of willful transmission of national defense information. The Government alleges that Frese gave two reporters highly classified material. One reporter worked for CNBC, the other for MSNBC. The Washington Post says Mr. Frese was interested in advancing the reporters' careers, and the Guardian reports that he was "romantically involved" with one of the journalists.
In the UK, Simon Finch, a former BAE Systems contractor from Wales, has been accused of leaking "highly sensitive information relating to UK defence," according to the Register. Mr. Finch apparently made the disclosure last October because he held a grudge against the Merseyside Police. He will now have the opportunity to air that grudge at the Old Bailey itself.
Iowa Chief Justice Mark Cady has apologized for authorizing physical penetration tests against county courthouses without the knowledge of county law enforcement officials, CBS 2 Iowa reports. Cady said that "in our efforts to fulfill our duty to protect confidential information of Iowans from cyberattack, mistakes were made." Two Coalfire employees had been arrested by local police as a result of the misunderstanding, and were arraigned on burglary charges.
Calling all Women in Cyber Security: Join us!
The CyberWire will be bringing together women from around the region and across the nation to celebrate their contributions and successes in cybersecurity industry. Join us at the International Spy Museum in Washington, DC on October 24th at 6th Annual Women in Cyber Security reception. Request an invitation.
Courts and torts.
The Guardian reports that Prince Harry is suing the News Group Newspapers and MGN Ltd. over phone hacking that occurred between 1994 and 2011. The well-documented incident involved British tabloids gaining access to the voicemails of celebrities and other public figures, including those of the royal family.
The UK Court of Appeal will allow a £3 billion ($3.9 billion) lawsuit against Google to proceed, Naked Security notes. The lawsuit involves Google's manipulation of an anti-tracking feature in Apple's Safari browser that allowed Mountain View to place cookies in Safari and track users for advertising purposes. The activity took place in 2011 and 2012, and the company has already paid $22 million to the FTC and $17 million to thirty-seven US states.
Policies, procurements, and agency equities.
At NSA's Cybersecurity Directorate media roundtable, held at Fort Meade this Thursday, Director Anne Neuberger and Technical Director Ziring explained that the new Directorate's missions weren't new, that NSA had been charged with them for years. What does distinguish the Cybersecurity Directorate from its predecessor Information Security Directorate (IAD) is the new organization's integration of intelligence analysis. It intends to accomplish its mission of preventing and eradicating threats by delivering actionable, contextualized intelligence to its customers. And, while NSA is and remains a combat support organization, those customers now include companies, universities, other Government agencies, organizations, and individuals. This has changed in part because the threat has changed: nation-states no longer confine their operations to other nation-states. See the CyberWire's account of the roundtable here.
Five US Republican Senators wrote to Microsoft president Brad Smith providing a list of publicly known reasons why the Government views Huawei as a security threat, and offered the possibility of future briefings to share classified information with Microsoft and other companies about the matter. The letter was written in response to a Bloomberg article which quoted Smith as saying that the US Government hasn't shared enough information to prove that Huawei deserves to be placed on an export blacklist.
The European Commission has published its long-anticipated study of 5G technology and the security challenges 5G will bring with it. The study doesn't name any specific nation-state as a threat, but Euractiv and others think there's little room for doubt that the report sees China and Huawei as problematic.
The US, UK, and Australian governments have asked Facebook to halt its plans to roll out end-to-end encryption across all of its messaging platforms without first ensuring that there is "a means for lawful access to the content of communications to protect our citizens."
Mark Zuckerberg will testify before Congress on October 23rd, where he'll answer questions about the upcoming Libra cryptocurrency and its digital wallet, Calibra, according to the Telegraph.
Fortunes of commerce.
Twitter revealed on Tuesday that the email addresses and phone numbers provided by users for multifactor authentication were sometimes being used for targeted advertising. The company says this was an error and apologized. The Washington Post notes that the FTC fined Facebook over a similar misuse of user data, but there's no indication yet of any potential legal action against Twitter.
The New York Times says the Trump administration will soon begin issuing licenses for certain US companies to sell "nonsensitive goods" to Huawei.
Labor markets.
One of the questions Director Neuberger and Technical Director Ziring fielded at NSA's Cybersecurity Directorate media roundtable Thursday had to do with their take on cyber labor shortages. They approach the problem in terms of labor force development. The Gen Cyber Camps for pre-collegiate students are, in Neuberger's view, important in exposing young people to the idea that a career in cybersecurity is not only possible, but that it can be rewarding as well. NSA is sponsoring more than one-hundred-twenty such camps. The two-hundred Centers of Academic Excellence fill an important intermediate role. And, as Ziring said, certifying research institutions at the PhD level strengthens the entire cybersecurity educational system. Thus the hope is to create a virtuous circle in labor force development.
A survey by Burning Glass found that cybersecurity jobs make up 13% of information technology positions, but these jobs take 20% longer to fill than other types of IT roles. The survey acknowledges that more than half of IT roles involve elements of cybersecurity skills. Burning Glass predicts that knowledge of public cloud security and the Internet-of-Things will be the most sought-after skills in the next five years.
Mergers and acquisitions.
VMware has completed its acquisition of Carbon Black for $2.1 billion, Yahoo Finance reports. In Network World's estimation, VMware is expected to build a significant "comprehensive integrated security" practice around its acquisition.
Akamai plans to acquire Israel-based web application protection company ChameleonX, Seeking Alpha notes.
London-based cyber insurer CFC Underwriting Ltd. has acquired Texas-based incident response company Solis Security, according to Help Net Security.
Investments and exits.
Berlin-based IoT SaaS company EMnify has secured €8 million in a Series A funding round from its existing investors, Tech.eu reports.
SiliconHills says Texas-based artificial intelligence company SparkCognition has raised $100 million in a Series C funding round led by March Capital Partners, with participation from Temasek, Kerogen Digital Solutions, Hearst Ventures, Dalus Capital, Sustainable Technology Ventures, Blue Horizon eVentures, and Founders Equity Partners.
And security innovation.
The Commonwealth Cyber Initiative (CCI) is launching a test be for 5G wireless security with universities across Virginia, according to Virginia Tech. The initiative will be led by Virginia Tech, Virginia Commonwealth University, Old Dominion University, and George Mason University. Roger Piqueras Jover, the chair of the test bed’s advisory board, told Virginia Tech that "the test bed will enable really exciting academic research and yield findings that will make 5G even more secure; it will also be a resource for technology startups working on improving 5G security." The test bed will allow researchers to test prototypes and ideas relating to 5G, as well as allowing government agencies to conduct training exercises.