Mass surveillance for COVID-19 contact tracing.
As governments around the world continue to seek technology that would assist them in tracking citizens' movements in order to slow the spread of the coronavirus, the crisis is causing many privacy advocates to soften their positions in the interest of public health. On the CyberWire's Quarterly Analyst Call, Ben Yelin from the University of Maryland's CHHS stated that "even among people who are strong civil liberties advocates, you've seen sort of this acceptance of, well, I'm not usually a supporter of the surveillance state, but if we need to track people's movement to get a better idea of how far this disease has spread, then maybe that's something I can live with temporarily."
The Intercept summarizes the opinions of various privacy experts who, operating under the assumption that these measures would be both effective and temporary, concluded that such surveillance can be conducted responsibly if governments adhere to strict guidelines concerning which data can be collected, what they can be used for, who can access them. For example, Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, told the Intercept that the data should be approached like US census data: strict protections around how such data can be used is crucial to collecting accurate information on a voluntary basis.
Others express skepticism that these guidelines will be followed. Computing warns of "scope-creep, where the data we hand over to battle the virus is cross-matched with other information in ways we don't understand."
Meanwhile, governments have already begun rolling out surveillance apps and collecting data through other means. ZeroFOX says Italy, Columbia, and Iran have already made privacy missteps associated with their apps, although ZeroFOX notes that, even in the case of Iran, these incidents seem to have resulted from desperation and haste rather than ill intent.
Private companies play a key role in this effort. The Wall Street Journal reports that the US Centers for Disease Control is receiving data derived from advertising companies and cell phone carriers. Motherboard describes new products developed by Israeli spyware firm NSO Group and its Italian competitor Cy4Gate. Motherboard also notes that cellphone providers in countries across Europe are sharing customer location data with their governments.
Chinese espionage campaigns exploit Linux servers.
BlackBerry released a report describing how five related Chinese-government-aligned APTs have conducted espionage operations against Linux servers over the course of the past decade. Four of these groups are known to the industry as the WINNTI GROUP, PASSCV, BRONZE UNION, and CASPER (LEAD), and BlackBerry's researchers identified a new group they've dubbed "WLNXSPLINTER." Blackberry researchers believe these groups are made up of contractors working for the Chinese government, and they appear to share tools, techniques, and infrastructure with each other. All five of these groups used "WINNTI-style tooling," and have been targeting systems running Red Hat Enterprise, CentOS, and Ubuntu at organizations in a wide variety of industries. The groups displayed "a significant degree of coordination" when targeting Linux systems.
During their investigation, BlackBerry researchers identified a possible front company, World Wired Labs, that sells the well-known and widely abused remote administration tool NetWire. The PASSCV threat actor was observed using an Android backdoor that displayed "striking structural layout similarities" and code overlap with the Android version of NetWire. Significantly, PASSCV's malware was created in 2015, while NetWire's Android version wasn't released until 2017, so this doesn't seem to be a case in which a threat actor simply adapted a publicly available tool. BlackBerry's Chief Product Architect Eric Cornelius told CyberScoop that World Wired Labs "kind of looks like a shell company....We believe that [Winnti] sort of open-sourced, or, for profit on the black market, made this tool set available."
Check out the CyberWire Pro Research Briefing for more.
APT hacks hundreds of Chinese VPN servers.
An APT group used a zero-day in Sangfor VPN servers to compromise Chinese government targets, ZDNet reports. Researchers at Qihoo 360 found that attackers had used the zero-day to replace a legitimate update file on more than two hundred of these VPN servers with a malicious version that would automatically install a Trojan. Most of the VPN servers belonged to government entities in Beijing and Shanghai, as well as Chinese diplomatic missions in dozens of countries around the world.
Qihoo 360 attributes the campaign to the DarkHotel APT, and posits that the actor may be attempting to glean information about how China tackled its COVID-19 outbreak. ZDNet notes that DarkHotel is suspected to be operating from the Korean peninsula, but it's not clear which country they're aligned with. The South China Morning Post notes, however, that many other researchers say Qihoo's report doesn't provide enough evidence to attribute the activity to any particular threat actor or motive.
NASA sees significant increase in cyber threats.
BleepingComputer reports that cyberattacks targeting NASA personnel have significantly ramped up during the COVID-19 pandemic as the agency's employees have transitioned to working from home. An agency-wide memo from NASA's Chief Information Officer warns that, in the past few days, the agency has seen a doubling of phishing emails, an "exponential increase in malware attacks," and "double the number of mitigation-blocking of NASA systems trying to access malicious sites (often unknowingly) due to users accessing the Internet." The memo adds that "NASA employees and contractors should be aware that nation-states and cyber criminals are actively using the COVID-19 pandemic to exploit and target NASA electronic devices, networks, and personal devices. Some of their goals include accessing sensitive information, user names and passwords, conducting denial of service attacks, spreading disinformation, and carrying out scams."
Operation Pinball seeks to sow disruption in Europe.
Recorded Future's Insikt Group uncovered an ongoing disinformation campaign, "Operation Pinball," that's targeting US and European governments with fabricated, supposedly leaked documents. The researchers conclude "with high confidence" that the operation overlaps with the Russia-linked "Secondary Infektion" campaign discovered by the Atlantic Council’s DFRLab last year. Operation Pinball used fake documents in an attempt to sow political discord in Estonia and undermine Georgia's relationship with NATO.
On one of the websites that published the aforementioned documents, Recorded Future also found "additional, previously undisclosed, attempts to plant false documents targeting U.S. officials and U.S. political organizations’ relationships with international policymakers and governmental bodies." The timeframe during which these documents were published—January to June 2019—coincides with that of Secondary Infektion.
Neither Operation Pinball nor Secondary Infektion were particularly successful, which Recorded Future attributes in part to the actors' painstaking commitment to operational security, since such commitment is often at odds with the tactics required to grow a large audience.
See the CyberWire Pro Disinformation Briefing for more.
Examining the benefits of SASE.
Network defenders need to rethink how they protect their organizations' data, according to Rick Howard, the CyberWire's Chief Analyst. On the first episode of CSO Perspectives, Howard discussed how Secure Access Service Edge (SASE) needs to replace the security models that are currently in place. He stated that, for the past decade, network defenders have adhered to "two grand strategies: intrusion kill chain prevention and zero trust." Howard said these strategies were difficult enough to pursue when networks were focused on perimeter defense, but they've now become unsustainable since data is scattered about through the cloud and other services, with each service provider offering its own security products. "In order to pursue our two grand strategies, network defenders and network operators alike have to deploy different tools that have the same functionality but operate in different environments and don't easily integrate," Howard said.
Howard explained that with SASE, "the first hop from your user's device or your organization's servers, regardless of which data island they sit on, will be to a cloud provider's SASE service. The SASE service will provide your security stack for all of your users and devices, and will also provide efficient peer routing to the destination. This accomplishes two things: first, it simplifies the orchestration of your two security strategies. Instead of managing multiple vendors' security products – some that perform the same function, only in different environments – all traffic goes through a copy of the same security stack with the same policy....If your SASE provider uses a security platform that already automatically updates its own intrusion prevention controls for all known adversaries, then the chance that your intrusion kill chain strategy will succeed will also have significantly improved. If your SASE provider uses a platform that facilitates zero-trust rules through automation, then your chances of successfully implementing your zero-trust strategy likewise will greatly improve. Second, by choosing the right SASE vendor who has established these essential peering relationships with the key content providers that you most likely use, your network latency will be drastically reduced, too."
Patch news.
Rapid7 warns that 82.5% of Internet-facing Microsoft Exchange servers are still vulnerable to CVE-2020-0688, a flaw that can enable an attacker to run SYSTEM-level code on a server after compromising any Exchange user account. A patch has been available since February, and Rapid7 has instructions for applying the patch as well as for determining if a server has already been compromised.
Zoom issued a patch that requires users to apply meeting passwords and removes the Zoom Meeting ID from the title bar, Mashable reports. The latter measure is meant to reduce the likelihood of Zoombombing when people share screenshots of their meetings.
Crime and punishment.
The Free Press says that Mumbai is seeing criminals shift to online crime as street crime becomes harder to pull off (because, presumably, it's more obvious as people stay off the streets, and because the police are on alert for it). InSight Crime reports that this is a global trend: criminal groups are turning to cybercrime in order to make up lost revenue. As criminal tools grow increasingly commodified, making that transition won't be as difficult as it once would have been.
Courts and torts.
The UK Information Commissioner's Office, taking into account the economic stress caused by COVID-19 pandemic, has deferred the data breach fines it imposed on British Airways and Marriott UK last year. SC Magazine notes that the airline and hospitality industries are among the sectors most affected by the lockdowns. The companies are still expected to pay the fines in the future.
Spyware vendor NSO Group said in a court filing last week that its customers were responsible for any actions involving the company's Pegasus tool, since NSO only assists with "training, setup, and installation," the Guardian reports. Since NSO exclusively sells its products to governments, the company argued that "permitting this litigation to proceed would infringe critical national security and foreign policy concerns of sovereign governments."
Google is facing a class action lawsuit that alleges the company illegally collected personally identifiable information, including facial and vocal biometric data, through Chromebooks used by students. The complaint accuses Google of violating the Illinois Biometric Information Privacy Act, California’s Unfair Competition Law, and the Federal Children’s Online Privacy Protection Act. See the CyberWire Pro Privacy Briefing for more on this story.
Policies, procurements, and agency equities.
President Trump this past Saturday signed the Executive Order on Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector. A statement from the US Justice Department explains that the order "formally established an interagency committee to advise the Federal Communications Commission (FCC) on national security and law enforcement concerns related to certain license applications by companies under foreign ownership or control." This committee will be led by Attorney General William Barr, and will include the Secretary of Defense, the Secretary of Homeland Security, and "the head of any other executive department or agency, or any Assistant to the President, as the President determines appropriate."
The US Justice Department will permit Google to move forward with plans to turn on a high-speed trans-Pacific cable running from California to Taiwan, but not to Hong Kong, the Wall Street Journal reports. The Justice Department concluded that "[t]here is a significant risk that the grant of a direct cable connection between the United States and Hong Kong would seriously jeopardize the national-security and law-enforcement interests of the United States."
The US Executive Branch has sent the Federal Communications Commission a recommendation that China Telecom's International Section 214 Common Carrier Authorizations be "revoked and terminated."
Read more in our CyberWire Pro Policy Briefing.
Fortunes of commerce.
Microsoft bought the domain "corp[.]com" from Wisconsin resident Mike O'Connor for an undisclosed amount, KrebsOnSecurity reports. While the amount of the deal wasn't disclosed, Krebs notes that O'Connor was auctioning the domain at a starting price of $1.7 million. The domain is significant because older Windows systems using Active Directory on internal networks were configured by default to use "corp" as their default Active Directory path, so if one of those computers accessed the Internet from another network, the system would likely reach out to treat corp.com on the Internet as if it were its Active Directory path.
US-based encrypted messaging app Signal said that it would have to relocate its headquarters if the US government passes the proposed EARN IT Act, the Register reports.
Big data company Palantir thinks it will break even for the first time this year with $1 billion in revenue, Bloomberg reports.
Labor markets.
CISA is looking for student interns, and some of the positions are even open to high school students. The application deadline is April 15th.
Mergers and acquisitions.
San Jose, California-based cloud security company Zscaler will acquire Seattle-based cloud misconfiguration detection startup Cloudneeti. The terms of the deal were not disclosed.
Investcorp Technology Partners, the private equity arm of Bahrain-headquartered multinational bank Investcorp, has acquired German antivirus and threat intelligence firm Avira for $180 million.
Accenture has acquired London-based cyber defense consultancy Context Information Security for an undisclosed amount.
Accenture also acquired Pennsylvania-based IT and OT security company Revolutionary Security for an undisclosed amount.
Arizona-headquartered domain registrar GoDaddy is acquiring the domain registry business of Neustar and renaming it "GoDaddy Registry."
Investments and exits.
Palo Alto, California-based enterprise firewall content provider Accellion has raised $120 million in a private equity round led by Bregal Sagemount.
Tel Aviv-based SASE provider Cato Networks has raised $77 million in a Series D round led by Lightspeed Venture Partners, with participation from Aspect Ventures, Greylock Partners, Singtel Innov8, U.S. Venture Partners (USVP), and Cato Networks's founder and CEO Shlomo Kramer.
London-based enterprise data privacy software provider Privitar has raised $80 million in a Series C round led by Warburg Pincus, with participation from Accel, Partech, IQ Capital, Salesforce Ventures, and ABN AMRO Ventures.
New York-based healthcare cybersecurity company CyberMDX has secured $20 million in a Series B round led by Sham, with participation from existing investors Pitango Venture Capital and Qure Ventures.
San Francisco-based data access management company Okera has raised $15 million in a Series B round led by ClearSky Security, with participation from existing investors Bessemer Venture Partners and Felicis Ventures.
More business news can be found in the CyberWire Pro Business Briefing.