Not all criminals are profiting during the pandemic.
Digital Shadows summarizes the ways in which the COVID-19 pandemic is affecting the online criminal economy. Some scammers are predictably profiting from the situation. Since people are doing much more shopping online, the criminals see increased opportunities for carding and other forms of online fraud. They're also shifting their direct fraud to follow the market by exploiting the demand for face masks, vaccines, and other items people want but can't get. Sometimes it’s because the stuff isn’t available, like face masks or toilet paper. Sometimes, as in the case of the vaccines, it's because such things don't exist. And of course some of the fraud is familiar snake oil, like the colloidal silver cure-all. Scammers are also reworking their phishing templates to include COVID-19-related content, the better to pique potential victims' interest. These tactics have been very apparent for weeks from the consumer side.
On the other hand, some types of criminals are feeling economic pain. Opportunities for travel and event fraud have essentially dried up. Gangs who specialize in bank fraud are having difficulty completing their theft if it requires a physical transfer of goods or cash, as it often does. Amazon has also blocked all shipments of non-essential products to its warehouses, so cybercriminals can no longer make use of Amazon's delivery network to ship their goods.
Kwampirs RAT targets healthcare and other industries.
The FBI warned that an APT is using the Kwampirs remote access Trojan to compromise organizations in the healthcare, software supply chain, energy, and engineering sectors in the US, Europe, Asia, and the Middle East. The Bureau says the healthcare sector is particularly at risk. Some of the software supply chain vendors specialized in industrial control system products for hospitals. The FBI says the observed samples of Kwampirs don't possess data-wiping capabilities, but the malware shares some code similarities with the Shamoon wiper. ZDNet observes that this is the third supply-chain warning the FBI has issued in as many months.
Zoom's busy week.
The video conferencing app Zoom has been in the spotlight after seeing its popularity skyrocket over the past few weeks. MarketWatch reports that Zoom's daily usage is up more than 300% from before social distancing measures came into place. Zoom said its daily meeting participants in March 2020 topped out at 200 million, compared to 10 million daily users in December 2019. Other video conferencing solutions are seeing similar surges, but Zoom seems to be leading the pack.
Zoom's increased popularity was accompanied by increased scrutiny, and security researchers have been busy uncovering vulnerabilities and privacy shortcomings in the software. The Intercept reported that Zoom meetings aren't end-to-end encrypted, even though the company's "misleading marketing" suggested they were. Zoom apologized and acknowledged that "there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," and the company laid out its encryption processes in a blog post.
The University of Toronto's Citizen Lab noted that Zoom appears to own three Chinese companies that help develop its software in a typical labor arbitrage arrangement, which brings with it the usual concerns about Chinese employees facing pressure from Beijing's intelligence agencies. The researchers also found that in some cases, Zoom's encryption keys are routed through servers in China.
Motherboard reported that Zoom's iOS app would send analytics to Facebook, even if the user didn't have a Facebook account. Motherboard pointed out that this is a common practice for apps that use Facebook's SDK, but Zoom's privacy policy didn't mention this data transfer. Zoom has since removed the Facebook SDK from the iOS app, but the company is still facing a class action lawsuit over the matter.
The New York Times found that Zoom contained a data-mining component that enabled users to match meeting participants with their LinkedIn profiles, even if a participant joined the meeting under a pseudonym. Zoom has now permanently removed this feature.
The FBI warned of "Zoombombing," a technique in which miscreants dial into Zoom meetings uninvited and display offensive content for all to see. Users can configure Zoom to prevent these incidents from taking place.
TechCrunch summarizes various other vulnerabilities in the software, some more run-of-the-mill than others, and Zoom outlines the steps it's taken to address the flaws.
Still, the consensus on Zoom seems to be that, while it shouldn't be used for anything highly sensitive or private, the company appears to be doing a generally decent job of addressing criticisms and fixing vulnerabilities. The Washington Post and the Verge say Zoom's level of responsiveness has been impressive, particularly given how suddenly its software has gone through the wringer. WIRED concludes that "Zoom's security is likely sufficient for most people's general communications, but there are more protected group video chat options—like those offered by WhatsApp, FaceTime, and particularly Signal—that could be a better fit for sensitive gatherings."
Saudi Arabia allegedly tracks its citizens throughout the US.
A whistleblower has shown the Guardian data suggesting that Saudi Arabia has been conducting widespread surveillance of Saudi nationals in the United States. The information provided by the whistleblower included millions of location tracking requests from Saudi Arabia's three largest mobile providers (Saudi Telecom, Mobily, and Zain) to an unnamed US mobile carrier. These requests were Provide Subscriber Information (PSI) messages seeking data through the legitimate but quite old SS7 protocol, which enables mobile carriers to continue providing services globally. The Guardian notes that "excessive use of such messages is known in the mobile telecoms industry to be indicative of location tracking." The whistleblower's data indicates that Saudi phones in the US were being tracked between two and thirteen times per hour. The Guardian cites telecoms and security experts who "confirmed they too believed it was indicative of a surveillance campaign by Saudi Arabia."
It's not clear how many of these requests were permitted by US carriers; only AT&T responded to the Guardian's queries, saying, "We have security controls to block location-tracking messages from roaming partners."
Hong Kong forum users targeted with iOS exploits.
Trend Micro and Kaspersky both published reports on a watering-hole attack discovered in January 2020 that targeted users on four popular Hong Kong-based forums with a full iOS exploit chain. Kaspersky has temporarily assigned the name "TwoSail Junk" to the threat actor, but the company suspects the campaign is linked to the Chinese-speaking APT known to the industry as "SpringDragon," "Lotus Blossom," and "Thrip." The attackers posted links on these forums that led to malicious web pages posing as news sites. These web pages served a script that would exploit vulnerabilities in iOS versions 12.1 and 12.2 in order to install what Trend Micro calls "undocumented and sophisticated spyware for maintaining control over devices and exfiltrating information."
Check out the CyberWire Pro Research Briefing for more.
HackerOne parts ways with Voatz.
HackerOne has expelled mobile voting company Voatz from its bug bounty platform over Voatz's allegedly hostile treatment of security researchers, CyberScoop reports. Voatz told CyberScoop that HackerOne's decision was due to a "small group of researchers who, along with a few other members of the community, believe Voatz reported a researcher to the FBI." Voatz denies doing this, but Cointelegraph explains that, "In fact, Voatz reported the student to the jurisdiction which then reported it to the FBI."
A HackerOne spokesperson told CyberScoop, "After evaluating Voatz's pattern of interactions with the research community, we decided to terminate the program on the HackerOne platform. We partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing." CyberScoop notes that this is the first time HackerOne has ever kicked a vendor off its platform.
Voatz's vice president of product Hilary Braseth maintains that the decision was mutual, telling SearchSecurity, "We had continued conversations with HackerOne and it was deemed mutually the right thing for both parties due to the animosity from these researchers to temporarily pause our engagement. It became too taxing for them to put up with this and for us too. It made sense for us to find an alternative and so we are building our own public bounty program."
China is accused of running a coordinated disinformation campaign about COVID-19.
The US Intelligence Community last week delivered a classified study to the White House that concluded, according to Bloomberg, that "China’s public reporting on cases and deaths is intentionally incomplete." Others have reached the same conclusion. Vice summarizes Beijing’s policy with respect to information about the coronavirus, and it finds a comprehensive program of censorship and disinformation directed at both domestic and international audiences. Stanford University’s Internet Observatory says that deliberate misdirection and obfuscation (false suggestion and suppression of truth) have been in progress since January. It's worth noting that since an effective, proportionate response to a pandemic requires accurate information about the origin, transmission, and severity of the disease, disinformation under such conditions can have serious consequences.
Our CyberWire Pro Disinformation Briefing has more information.
Patch news.
Google Chrome version 80.0.3987.162 fixes eight security flaws, three of which are considered to be high in severity, Threatpost says.
Crime and punishment.
CyberScoop reports that the FBI arrested a Russian national who allegedly laundered money for a cybercriminal group that targeted banks in the US.
Courts and torts.
Marriott International is facing a class action lawsuit after the company disclosed this week that it had suffered another data breach, SecurityWeek reports. This breach affected up to 5.2 million guests and exposed names, birth dates, mailing addresses, and loyalty program information. Marriott doesn't believe any sensitive credentials or financial data were leaked, but the company is still investigating. The breach occurred when someone used employee credentials to log into an internal corporate application.
Policies, procurements, and agency equities.
The US is considering imposing stiffer sanctions on Huawei that would cut the Chinese manufacturer off from its US chip suppliers, Reuters reports. WIRED worries that such sanctions would fuel the rise of a domestic Chinese chip industry, but news of the sanctions was troubling enough to Huawei that the company's rotating chairman Eric Xu told CNBC, "The Chinese government would not sit there and watch Huawei being slaughtered. I believe there would be counter-measures."
The US Justice Department Inspector General has released the report on the FBI's conduct with respect to the Foreign Intelligence and Surveillance Act. The report found that conduct not only distinctly wanting, but also of long duration: problems with the Bureau's handling of FISA matters predate the 2016 US elections. The IG was particularly concerned about the way the Bureau handled requests for FISA surveillance warrants. The findings in the latest report suggest that there are deeper systemic issues with the FISA process, independent of any agents’ or officials’ biases, commitments, or individual misconduct. The systemic issues largely come down to what the Washington Post calls, "Institutional weaknesses," resulting in insufficient and defective oversight of the process itself.
The US District Court for the District of Columbia has ruled in a test case that violating a site's terms of service does not in itself constitute a crime under the Computer Fraud and Abuse Act.
After the US Department of Defense last week indicated that it was moving forward with its Cybersecurity Maturity Model Certification (CMMC), six industry groups (the Alliance for Digital Innovation, BSA: The Software Alliance, the Cybersecurity Coalition, the Information Technology Industry Council (ITI), the Internet Association, and the Computing Technology Industry Association (CompTIA)) have signed a letter to the Under Secretary of Defense for Acquisition and Sustainment in which they express reservations about the program's implementation. The associations argue that "current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs."
Read more in our CyberWire Pro Policy Briefing.
Fortunes of commerce.
Bloomberg reports that big data analytics provider Palantir is in talks with government officials in France, Germany, Switzerland, and Austria to supply its software for use in fighting the COVID-19 pandemic.
Microsoft's venture fund M12 announced that it won't invest in any more third-party facial recognition companies after it was criticized for funding Israeli startup AnyVision, according to the Verge. NBC News reported in October that AnyVision was using its technology to surveil Palestinians living in the West Bank. Microsoft said last Friday that an independent audit had determined that this claim was unfounded, but the company added that it will divest from AnyVision because "the audit process reinforced the challenges of being a minority investor in a company that sells sensitive technology, since such investments do not generally allow for the level of oversight or control that Microsoft exercises over the use of its own technology."
And some good news: Chris Tillett, a senior security engineer with Exabeam who had a severe case of COVID-19, is now back with his family and on the road to recovery.
Mergers and acquisitions.
United Technologies and Raytheon on Thursday completed their "merger of equals transaction" after United spun out its Carrier and Otis subsidiaries. United Technologies has changed its name to "Raytheon Technologies Corporation," and is traded on the New York Stock Exchange as "RTX."
Palo Alto Networks will acquire San Jose, California-based software-defined wide-area network (SD-WAN) company CloudGenix for approximately $420 million.
Canadian IT consulting company CGI Federal is acquiring Reston, Virginia-based IT consultancy TeraThink.
The pandemic emergency has called a stop to at least one major acquisition bid: the Wall Street Journal reports that Xerox has given up its attempted purchase of HP, for the duration at least, and quite possibly for good.
Investments and exits.
Chinese big data analytics company MiningLamp has raised US$300 million in a Series E funding round led by Tencent Holdings and the Government of Singapore's Temasek Holdings, the South China Morning Post reports. The Post notes that MiningLamp is seen as China's equivalent of the United States's Palantir.
Belgian data intelligence company Collibra has raised $112.5 million in what TechCrunch calls "a Series F, from the looks of it." The round was led by existing investors ICONIQ Capital, Index Ventures, and new investor Durable Capital Partners LP, with participation from existing investors Battery Ventures, CapitalG, and Dawn Capital.
New York-based cybersecurity asset management company Axonius has raised $58 million in a Series C round led by Lightspeed Venture Partners, with participation from existing investors OpenView, Bessemer Venture Partners, YL Ventures, Vertex, and Western Technology Investment.
Germany-headquartered privacy and compliance platform provider DataGuard secured $20 million in a Series A round led by One Peak, TechCrunch reports.
Santa Clara, California-based XDR (detection and response) platform provider Stellar Cyber has added an additional $7.1 million to its Series A round, bringing the round's total to $21.8 million. The new funding comes from Susquehanna International Group, while the previous funding came from Valley Capital Partners, Big Basin Ventures, and Northern Light Venture Capital.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.