We'll be observing the Christmas and New Year holiday season next week, and so the CyberWire will take a break from publication. The Daily News Briefing won't publish next week, but we'll be back to our normal schedule on January 2nd. See you in 2020, and all our best wishes to you for Christmas, Chanukah, and New Year's Day. And, as always, thanks for reading.
Everyone says that we need to build security in, but when it comes to app development, security seems always to be at war with speed. Besides, app developers are always more concerned with function. You want them to care about functionality, so help them with security. It’s critical, and Code Dx can help you help them. Code Dx automates the tough parts of AppSec so your developers can use their mad skilz where they really pay off. Help them help you.
Gangnam Industrial Style targets South Korea.
A cyberespionage campaign targeting hundreds of industrial firms is currently underway, according to researchers at CyberX. The campaign, which CyberX calls "Gangnam Industrial Style," is primarily focused on South Korean targets, and has resulted in the compromise of at least two hundred systems. One of these systems belonged to "a multi-billion dollar Korean conglomerate that manufactures critical infrastructure equipment such as heavy equipment for power transmission and distribution facilities, renewable energy, chemical plants, welding, and construction." Other victims were located in Thailand, China, Japan, Indonesia, Turkey, Ecuador, Germany, and the United Kingdom.
The attackers are using a new variant of the Separ malware, which they distribute via spearphishing emails. The lure documents are industrial-themed, with some posing as RFQs. The exact goal of the campaign isn't apparent, but the researchers note that "the attackers could be stealing proprietary information about industrial equipment designs so they can sell it to competitors and nation-states seeking to advance their competitive posture." The information could also be used in preparation for damaging cyberattacks against industrial environments.
Looking to advance your cybersecurity career? Check out Georgetown University's graduate program in Cybersecurity Risk Management. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Learn more.
APT20 suspected in Chinese espionage campaign.
Fox-IT describes Operation Wocao, a Chinese cyberespionage campaign that's been active for the past two years against targets in at least ten countries, including Brazil, France, Germany, Italy, Mexico, Portugal, Spain, the UK, the US, and China itself. Among the industries targeted are aviation, energy, finance, healthcare, insurance, software development, and transportation. Government entities and managed service providers have also received attention from the campaign. Fox-IT's researchers are fairly certain the operation is based out of China and is conducting espionage on behalf of the Chinese government, and they assess "with medium confidence" that the group behind Wocao is APT20 (also known as "Violin Panda").
The threat actor exploits vulnerable web servers to gain a foothold in the targeted organization's network, in some cases taking advantage of web shells that had already been placed on the servers by unrelated attackers. The actor then maintains persistence by compromising VPN credentials using a keylogger and then connecting to the organization through its VPN solution.
In one instance, the attackers were able to defeat an RSA SecurID two-factor authentication system in order to connect to a VPN server. Fox-IT believes they were able to pull this off because the victim used a software-based token to generate 2FA codes on their laptop, rather than using a separate device. By stealing the SecurID Software Token from the victim's laptop and then patching an instruction in the RSA SecurID software that checked to verify whether the token was on the correct system, the attackers were able to generate valid 2FA codes on their own devices.
Cities work to recover from ransomware.
Hackensack Meridian Health, New Jersey's largest hospital system, said last Friday that it paid a ransom to regain access to its systems after almost five days. One of the hospital's IT employees told NJ.com that the malware impacted "anything with computer software — scheduling and billing systems and labs and radiology." Around a hundred elective surgeries were delayed by the attack.
The City of New Orleans suffered a cyberattack on December 13th, which BleepingComputer believes involved the Ryuk ransomware. The city said the effects of the attack were "minimal," according to WBRZ, although four thousand computers have to be reimaged as a precautionary measure.
The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic. Through a partnership with the CyberWire, each of CyBOK's knowledge areas will be featured in its own podcast. The first few episodes are available on your favorite podcast app. Visit the website to learn more.
Ransomware attacks may now be assumed to be data breaches as well.
Ransomware operators are increasingly adding another element of extortion to their attacks by exfiltrating data before encrypting systems. Researchers at Morphisec describe an attack involving the Zeppelin ransomware in which the attackers tried to steal backup data from Windows database servers before deploying the ransomware. The researchers say they "also identified links to a data source that might indicate significant data breaches of some companies."
The criminal group behind the Maze ransomware has taken a similar approach by stealing their victims' data and threatening to publicly release it unless the ransom is paid. According to BankInfoSecurity, the Maze criminals have been posting small portions of stolen data on their website this week in an effort to put pressure on eight victims who haven't yet paid ransom. The city of Pensacola, Florida, was afflicted by a Maze ransomware infestation this past Saturday, and it's unclear if the city paid the attackers.
The Maze operators told BleepingComputer that they'd also attacked a Canadian insurance company. The company said it had recovered without paying the ransom, but the attackers are now threatening to dump the stolen data online.
BleepingComputer also noted last week that the REvil/Sodinokibi gang announced it will begin using stolen data as leverage in its attacks.
Additionally, Ontario-based lab diagnostics and testing provider LifeLabs announced on Tuesday that it had suffered a cyberattack that resulted in the data of up to fifteen million customers being exfiltrated and held for ransom. The data included names, addresses, dates of birth, health card numbers, lab test results, email addresses, and passwords. The company paid the attackers an undisclosed amount. It's not clear yet if ransomware was involved in this attack, but the incident demonstrates the effectiveness of demanding a ransom in exchange for data confidentiality. Many observers, including the Georgia Straight and the Toronto Sun, point out that LifeLabs has no way of knowing if the attackers actually deleted the data.
Cisco Talos predicts this trend will continue, especially due to the fact that if the extortion element doesn't pan out, the attackers can simply sell the data on the black market (and they may very well end up doing this even if the victim does pay up). This development will almost certainly have legal implications for organizations, since any ransomware attack now comes with the uncertain possibility of personal data being compromised.
Wawa discloses a major data breach.
Wawa announced Thursday that it had discovered malware on its payment processing servers which may have affected customer payment card information at all of the company's locations. Wawa's CEO said the malware had access to "credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019 and ending on December 12, 2019." The company is investigating to determine the extent of the breach.
Our graduate students in the Johns Hopkins University Information Security Institute work alongside our faculty who are world-renowned for their research in cryptography, privacy, medical information security, and network and system security. To learn more, register for the one-hour session to get an overview of the Information Security Institute. Panelists will provide a program overview, areas of research, admissions requirements, and discuss life in Baltimore.
ECHOBOT Mirai variant gets an update.
Palo Alto Networks's Unit 42 describes a new version of the ECHOBOT variant of the Mirai botnet. This version targets seventy-one different vulnerabilities, thirteen of which haven't previously been seen exploited in the wild. The vulnerabilities' dates of disclosure range from March 2003 to December 2019, possibly indicating, the researchers say, that the attackers are "targeting either legacy devices that are still in use but probably too old to update due to compatibility issues and newer vulnerabilities that are too recent for owners to have patched."
ECHOBOT stands apart from other Mirai variants due to the number of exploits it contains. BleepingComputer notes that ECHOBOT has been voraciously incorporating vulnerabilities since it was first discovered in June. Unit 42 says that unlike other variants of the malware, which focus on targeting the most effective and widespread vulnerabilities, ECHOBOT's developers seem to incorporate any exploit they can get their hands on.
Iran says it defended itself against another cyberattack.
Iran's telecommunications minister, Mohammad Javad Azari-Jahromi, announced that the country had thwarted another cyberattack against Iranian government systems, the BBC reports. Jahromi attributed the attack to the Chinese-linked threat group APT27 (also known as Emissary Panda) and said the hackers were trying to conduct espionage. He added that the attack was foiled by Iran's cybersecurity project called the "Dezhfa," or Digital Fortress. The Telecommunications Ministry said in May that Dezhfa had been installed to protect Iran’s Siemens-manufactured industrial control systems, although this recent attack apparently wasn't bent on sabotage, the Jerusalem Post reports.
Check out “Caveat,” the CyberWire's newest weekly podcast addressing cybersecurity law and policy, with a particular focus on surveillance and digital privacy. This podcast is hosted by our own Dave Bittner and Benjamin Yelin, Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security. Each week, Dave and Ben break down important current legal cases, policy battles, and regulatory matters along with the news headlines that matter most. Have a listen.
Microsoft released an out-of-band security update to fix an information-disclosure vulnerability in SharePoint Server, Computing notes. Microsoft explained that an attacker could exploit the vulnerability by sending a "specially crafted request to a susceptible SharePoint Server instance."
Intel released a patch for the Plundervolt vulnerability affecting its 6th, 7th, 8th, 9th, and 10th generation processors, HOTforSecurity reports. However, since the patch requires a BIOS update, it's not clear how quickly it will reach users.
Crime and punishment.
Nathan Wyatt, a British subject alleged to belong to the Dark Overlord cyber extortion gang, was extradited to the US and arraigned on Wednesday. The Justice Department accuses Wyatt of "remotely accessing the computer networks of multiple U.S. companies without authorization, obtaining sensitive records and information from those companies, and then threatening to release the companies’ stolen data unless the companies paid a ransom in bitcoin." Mr. Wyatt is presumed innocent, and says he didn't do it.
Evaldas Rimasauskas was sentenced to five years in US prison for carrying out business email compromise scams against Facebook and Google, the Register reports. Mr. Rimasauskas set up a company with the same name as a Taiwanese hardware manufacturer and succeeded in stealing $99 million from Facebook and $23 million from Google.
The Epilepsy Foundation has filed criminal complaints with law enforcement following attacks against its Twitter feed in which lowlifes flooded the Foundation's handle and hashtags with flashing GIFs intended to trigger epileptic seizures. The New York Times notes that a Maryland man was arrested in 2017 and charged with aggravated assault with a deadly weapon for sending one of these GIFs to an epileptic author.
Courts and torts.
France's national competition regulator has fined Google €150 million ($166 million), saying the company abused its dominance in the advertising market by "by adopting opaque and difficult to understand operating rules for its Google Ads advertising platform and applying them in an unfair and random manner." TechCrunch says Google plans to appeal the decision.
The Guardian reports that Spain's national court is investigating allegations that a Spanish company that provided security for the Ecuadorian embassy in London spied on Julian Assange during his seven-year residence at the embassy. According to El Pías, the company collected audio and video footage of Assange's meetings with his lawyers and handed it over to the CIA. Spain's Audiencia Nacional is looking into whether the company violated privacy laws and legal privilege.
Policies, procurements, and agency equities.
The Indian government last week shut down the Internet in the northeastern states of Assam and Meghalaya amid protests in the regions. TechCrunch quotes government officials in Assam as saying that "social media platforms like Facebook, WhatsApp, Twitter, and YouTube are likely to be used for spreading of rumors and also for transmission of information like pictures, videos and text that have the potential to inflame passions and thus exacerbate the law and order situation."
The Washington Post observes that the Internet has also been blocked in the Kashmir region since August 5th, making it the longest Internet shutdown ever enforced in a democracy. India has shut off the Internet 101 times so far this year, according to the country's Internet Shutdown Tracker. The New York Times notes that India's closest competitor in this arena is Pakistan, which had twelve shutdowns last year.
US Senate Republicans have agreed to provide $425 million for election security, according to The Hill. The Wall Street Journal notes that many Democrats aren't entirely satisfied with this, as they want a permanent Federal funding mechanism and stronger election security legislation.
The US House of Representatives has passed the Secure and Trusted Communications Networks Act, The Hill reports. The Act would require the Federal Communications Commission to set up a $1 billion program to assist small telecoms providers in replacing "suspect network equipment." The bill is now under consideration by the Senate, where it seems likely to pass.
Reuters reports that the German government has delayed its decision on security rules surrounding the country's 5G networks.
CISA is in line to receive a $334 million boost in funding for fiscal 2020, with its total funding next year surpassing $2 billion, Fifth Domain reports.
Fortunes of commerce.
Google Chrome has followed the lead of Firefox and Opera by removing Avast's web extensions from its web store, Computing reports. Avast's extensions collect a considerable amount of user browsing data, which the company sells to third parties. Avast says the data is anonymized, but Adblock Plus creator Wladimir Palant asserts that the amount of data collected, and the fact that each customer's data is connected to a unique user ID, defeats the company's anonymization measures.
Facebook says it will ban misinformation and misleading ads about the 2020 US census. The new policy will prohibit misrepresentation about where, when, and how people can participate in the census, along with who is eligible to participate. It also bans false information about the government's role in the census, whether this information is meant to encourage or discourage participation.
The Securities and Exchange Commission is looking into the IPOs of Slack and other unicorns, the Wall Street Journal reports. It's not clear what the SEC is looking for, but it requested emails and other communications sent by trading firms just before Slack's stock opened for trading.
Cynet's 2020 Cybersecurity Salary Survey Results found that IT employees who pivot into cybersecurity generally make more money than employees who start their careers in cybersecurity positions. Additionally, the survey determined that "security analysts in North America "get a significantly higher salary than in EMEA and APAC, with more than 80% earning between 71K and 110K in contrast to less than 35% in EMEA and 21% in APAC."
Mergers and acquisitions.
PE Hub reports that British private equity firm Apax Partners will acquire Colorado-based cyber risk management company Coalfire from The Carlyle Group and The Chertoff Group, both of which are based in Washington, DC. The terms of the deal were not disclosed.
Investments and exits.
San Francisco-based real-time data analytics company Imply has raised $30 million in a funding round led by Andreessen Horowitz’s Late Stage Venture Fund, with participation from Geodesic Capital and Khosla Ventures.
Today's issue includes events affecting Brazil, China, Ecuador, France, Germany, India, Indonesia, Ireland, Israel, Italy, Japan, Democratic People's Republic of Korea, Republic of Korea, Mexico, Portugal, Russia, Spain, Thailand, Turkey, United Kingdom, and United States.
Research Saturday is up. In this week's episode, "Inside Magecart and Genesis," we hear from researchers at Shape Security, who are tracking Magecart card skimmers and the Genesis marketplace. Dan Woods is VP of the intelligence center at Shape Security, and he joins us to share their findings.
Our regular Daily Podcast, as well as our weekly Research Saturday, Caveat and Hacking Humans podcasts, will also take a holiday break next week, returning as usual on January 2nd. Feel free to catch up on back episodes, or, for something new, lend your ears to the special editions we'll be posting next week.