Nation-states use COVID-19 phishbait, too.
COVID-19-themed phishbait continues to circulate widely, and state-sponsored threat actors have unsurprisingly joined the party, ZDNet notes. Chinese security firm QiAnXin observed a phishing campaign targeting Ukraine with macro-laden documents that purported to be from Ukraine's Ministry of Health and offered news about the coronavirus. QiAnXin believes this campaign was run by Russia's "Hades" group (also known as "Sandworm").
South Korean company IssueMakersLab found COVID-19-themed documents targeting South Korean officials that delivered the BabyShark malware, which has been associated with North Korean threat actors.
Check Point describes a recent campaign that targeted a Mongolian government entity with documents outlining the Chinese government's response to the COVID-19 crisis. The researchers believe this activity is part of a "long-running Chinese-based operation against a variety of governments and organizations worldwide." They believe this group, which they call "Vicious Panda," has been active since at least 2016, and it may have targeted Russia, Ukraine, Belarus, and other countries in previous operations.
Another Chinese group, Mustang Panda, is thought to be behind a malware campaign that appears to be targeting users in Vietnam, according to Vietnamese security firm VinCSS.
Recorded Future summarizes these attacks, along with widespread criminal phishing activity, noting that the phishing lures tend to impersonate "country-specific health agencies," in addition to the World Health Organization.
Cyberattacks against healthcare entities.
Mother Jones reports that a ransomware attack took down the website of Illinois's Champaign-Urbana Public Health District, highlighting the heightened risk of disruptive attacks against government agencies and healthcare entities in the midst of an epidemic. Recorded Future analyst Allan Liska pointed to a ransomware attack against a cloud provider in November 2019 that resulted in 110 nursing homes losing access to patient data. Liska Mother Jones that "Another attack like that could cause significant disruption, especially while everybody’s so worried about the coronavirus. If senior care gets disrupted while we’re in the middle of a pandemic, it could cause loss of life."
Another reminder of this risk came Friday, when the Czech Republic's Brno University Hospital announced that it had suffered a cyberattack. The nature of the attack wasn't publicly disclosed, but its effects were apparently disruptive. The hospital stated, "Basic operation has been preserved, some computer systems are limited. Planned operations are postponed, the acute operative is maintained to the extent necessary. The situation applies to all areas (Bohunice, Maternity Hospital and Children's Hospital)." CyberScoop and ZDNet observed that this hospital is one of the country's largest COVID-19 testing facilities, although it's unclear if the attack affected the institution's ability to conduct testing. Lukasz Olejnik, former cyberwarfare adviser to the Red Cross, told CyberScoop, "In times of crisis taking out individual elements of a health care system can damage collective resilience....Even if the offline health care procedures work, reducing the capacity means that work might be slower than usual."
Russia offshores its trolling.
Facebook and Twitter took down a network of fake accounts attempting to sow division in the United States. The accounts were at least partially operated by people in Ghana and Nigeria, but both Facebook and Twitter attributed the activity to Russia. In a blog post, Facebook connected the operation to "individuals associated with past activity by the Russian Internet Research Agency (IRA)."
Facebook said it removed "49 Facebook accounts, 69 Pages and 85 Instagram accounts for engaging in foreign interference — which is coordinated inauthentic behavior on behalf of a foreign actor — on Facebook, Instagram and other internet platforms." Twitter told CNN that it took down "71 accounts that had 68,000 followers."
The accounts didn't specifically focus on the upcoming US election or support a particular candidate. Rather, Facebook said, "they frequently posted about US news and attempted to grow their audience by focusing on topics like black history, black excellence and fashion, celebrity gossip, news and events related to famous Americans like historical figures and celebrities, and LGBTQ issues." CyberScoop observes that the IRA's trolls largely focused on these topics ahead of the 2016 presidential election. It's not clear if the trolls would have eventually settled on a favored candidate; the Washington Post quotes Twitter's head of site integrity Yoel Roth as saying, "We know we caught this early enough on that these accounts were broadly unsuccessful in obtaining a large-scale audience."
CNN, working with Clemson University professors Darren Linvill and Patrick Warren, located the headquarters of the operation in Ghana and found it had been raided by Ghanaian security forces on February 6th. The Ghanaian security services later told CNN that the non-profit that rented and used the building received all of its funding from Russia.
Graphika published an extensive report on the Ghanaian operation, which noted that it's "likely that at least some of the keyboard operators were deceived as to the purpose of their activity."
Cyberspace Solarium Commission unveils its strategy.
The US Cyberspace Solarium Commission (CSC) released its report on Wednesday, which includes recommendations for "a strategy of layered cyber deterrence." The Commission concludes that deterrence works in cyberspace, but it requires a resilient economy, government reforms, and private-sector cooperation. The report also emphasizes the importance of election security, stating that "[i]f we don’t get election security right, deterrence will fail.
Deterrence would involve defending forward, and would be "layered" to shape behavior, deny benefits, and impose costs. Under this model, prospective attackers who calculated the costs and benefits of cyber conflict would be dissuaded first by international norms, second, by the low probability of deriving any benefit from an attack, and finally, by the sure prospect of retaliation and punishment.
Turla believed to have compromised Armenian government websites.
ESET has discovered watering hole attacks affecting four Armenian websites, two of which belong to the Armenian government. The researchers attribute the attacks to the Russia-linked Turla group, and they believe the websites have been compromised "since at least the beginning of 2019," although the attackers ceased making use of the sites in November 2019.
The researchers aren't sure how the attackers compromised the websites, but they managed to insert JavaScript code that would create an iframe that displayed a fake Adobe Flash update notification. If a user chose to download this file, the site would install both "a Turla malware variant and a legitimate Adobe Flash program." These attacks were highly targeted, and the iframe was only triggered against website visitors deemed "interesting" enough by the malware's operators.
Nation-state actors are attacking unpatched Microsoft Exchange Servers.
Volexity warns that multiple APT groups are exploiting CVE-2020-0688, a remote code execution vulnerability in Microsoft Exchange Server that was patched in February. The company didn't name any specific groups, but a source at the US Department of Defense told ZDNet that "all the big players" were exploiting this flaw. The vulnerability could allow an attacker to take over an Exchange Server after compromising a single account on the server. Importantly, the compromised account doesn't need to have access to the Exchange Control Panel or possess high privileges, so attackers can target low-level user accounts that aren't protected by multi-factor authentication.
Patch news.
Microsoft released an out-of-bound patch for a critical vulnerability (CVE-2020-0796) affecting Server Message Block 3.1.1 (SMBv3) in Windows 10 and Windows Server 2019. Microsoft inadvertently leaked details of the flaw due to an apparent miscommunication with some security companies who belonged to the Microsoft Active Protections Program, according to BleepingComputer. These companies temporarily published details of the flaw in their routine advisories, which prompted security researchers to search for and discover the vulnerability. The advisories described the flaw as "wormable," which gave many observers flashbacks to the SMBv1 vulnerability exploited by WannaCry and NotPetya in 2017. Microsoft also released a workaround, summarized by CERT-EU, that organizations can use until they're able to apply the patch.
Microsoft addressed a total of one-hundred-fifteen vulnerabilities, twenty-six of which are rated critical, eighty-eight are considered important, and one is held to be moderately severe. The good news is that none of them appear to be currently exploited in the wild.
Mozilla patched twelve vulnerabilities Firefox and Firefox ESR on Tuesday. The most serious Firefox vulnerability addressed could lead to arbitrary code execution.
Adobe didn't issue its usual round of patches, Help Net Security reports. It’s not clear if Adobe plans to release patches later this month.
Crime and punishment.
Former CIA employee Joshua Schulte was convicted of contempt of court and making false statements, but the jury failed to reach a verdict on the eight far more important charges of improperly disclosing classified information. Mr. Schulte, of course, is accused of leaking the CIA's hacking tools to WikiLeaks, which WikiLeaks published as "Vault 7" in 2017. Politico notes that the jury was evenly divided with regard to the strength of the evidence. The Washington Post expects the government to seek a retrial.
US law enforcement arrested a Russian citizen, Kirill Victorovich Firsov, who allegedly operated the Deer[.]io black market platform, CyberScoop reports. Deer[.]io hosted online stores for selling compromised accounts and stolen data (ZDNet characterizes it as "a Shopify-like platform for cybercrime"). Mr. Firsov was picked up by the FBI at JFK Airport on March 7th.
Courts and torts.
Reuters reports that Israeli spyware vendor NSO Group told a court in the Northern District of California that Facebook was in violation of international law when it served its lawsuit to the spyware firm. NSO maintains that Facebook "lied to the court in their application for default by stating that defendants had been served under the Hague Convention, when in fact, plaintiffs had been told by the government of Israel two days earlier that service under the Hague Convention was not complete, and the application for service needed to be resubmitted." Facebook also filed documents asking the court to "decline the defendants’ request to further delay this case," saying that it will withdraw its application for default so that the suit against NSO Group can proceed on its merits.
The US state of Vermont is suing facial recognition firm Clearview AI for allegedly violating the Vermont Consumer Protection Act and the Fraudulent Acquisition of Data Law. The state's Attorney General T.J. Donovan is seeking "civil penalties, restitution, injunctive relief, disgorgement, fees and costs, and other appropriate relief" from the company, claiming that Clearview's practices "are immoral, unethical, oppressive, and unscrupulous; and cause substantial injury to consumers which is not reasonably avoidable to consumers themselves and not outweighed by countervailing benefits to consumers or to competition." Ars Technica notes that Donovan was particularly displeased with the fact that Clearview also collects images of minors. Clearview AI responded, saying that it "operates in a manner similar to search engines like Google and Bing," and that it actually "collects far less data than Google and Bing, because Clearview AI only collects public images and their Web address."
Policies, procurements, and agency equities.
Senators Richard Blumenthal (Democrat of Connecticut) and Josh Hawley (Republican of Missouri) have disputed claims that the EARN IT Act would attempt to undermine encryption, CNBC reports. Blumenthal noted that the "bill says nothing about encryption." Hawley stated that "End-to-end encryption must be able to exist with robust law enforcement and I’m not going to support anything that does not protect the integrity of encryption for users, I can promise you that." Critics of the bill, including the Electronic Frontier Foundation, believe its purpose is to force companies to build ways for law enforcement to gain access to encrypted data by threatening to remove their legal protections provided by Section 230 of the Communications Decency Act.
President Trump signed the Secure and Trusted Communications Networks Act, which requires US telecom providers to remove any "suspect foreign network equipment" from their networks, Engadget reports. The law will require the FCC to organize a compensation program to assist rural providers in this task. FCC Chairman Ajit Pai announced last month that telecom companies that are eligible for the Universal Service Fund must inventory any Huawei or ZTE equipment they currently use and report the cost of replacing it to the FCC, according to the Alaska Journal of Commerce.
Reuters reports that France plans to allow telecom companies to use some Huawei gear in the country's 5G network. Like the UK, France is expected to restrict Huawei's equipment from core parts of the network.
Fortunes of commerce.
Bloomberg reported Monday that two employees of Forest City, California-based SIEM provider Exabeam were diagnosed with COVID-19. Both employees attended RSAC 2020 and may have been at Exabeam's booth. Exabeam stated that "while we cannot confirm whether they contracted COVID-19 prior to, at or after the conference, if you came into contact with our staff, please be vigilant in monitoring yourself for symptoms and follow recommended guidelines to prevent possible infection." While Exabeam is based in California, one of the patients, a 45-year-old male with underlying health conditions, lives in Connecticut. This individual began experiencing symptoms on February 28th, was hospitalized on March 6th, and is now on a ventilator in a medically induced coma. Our wishes for their swift and full recovery.
Naked Security offers advice for companies whose employees will be working remotely for the foreseeable future.
Labor markets.
The Cyberspace Solarium Commission's report identifies the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) as the key to coordinating government cybersecurity and partnering with the private sector. The Commission "want[s] working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google, and Facebook for top-level talent (and wins)." Accordingly, the Commission says "Congress and the executive branch should pass legislation and implement policies designed to better recruit, develop, and retain cyber talent while acting to deepen the pool of candidates for cyber work in the federal government."
The US Office of Personnel Management released a memo as part of the Executive Order on America’s Cybersecurity Workforce signed by President Trump in May 2019, Federal News Network reports. The memo offers various types of assessments that can be used to identify cybersecurity aptitude, and recommends "the Federal government pursue a whole person approach for cybersecurity aptitude assessment for reskilling and the selection of new talent."
Mergers and acquisitions.
Minnesota-based IT software company HelpSystems has acquired Washington, DC-based Strategic Cyber LLC and its flagship penetration testing software Cobalt Strike. Strategic Cyber's founder Raphael Mudge stated in a blog post that he has "joined HelpSystems as a Technical Director for Cybersecurity."
Seattle-based network security vendor WatchGuard Technologies will acquire Madrid-based endpoint protection company Panda Security.
Investments and exits.
Sunnyvale, California-based SOC-as-a-service company Arctic Wolf has raised $60 million in a Series D funding round led by Blue Cloud Ventures and Stereo Capital, with participation from other investors, including Delta-v Capital and NextEquity Partners.
Virginia-based supply chain risk management company Interos has received $17.5 million in a Series B round led by Venrock, with participation from Kleiner Perkins.
Missouri-based cloud security management startup DisruptOps secured $9 million in a Series A funding round from Drive Capital and Rally Ventures, Startland News reports.