By the CyberWire staff
Spearphishing campaigns targeted the oil & gas industry during OPEC+ and G20 meetings.
Bitdefender warns that two spearphishing campaigns recently targeted the oil & gas industry attempting to deliver the Agent Tesla information-stealing Trojan. The first campaign, which began on March 31st, targeted at least twenty-four countries and used emails that purported to come from Engineering for Petroleum and Process Industries (Enppi), an engineering subsidiary of Egypt's national oil company. The largest focus of this campaign was on Malaysia, the United States, Iran, South Africa, Oman, Turkey, and Italy. The second campaign, which began on April 12th, was much smaller in scope and "targeted only a handful of shipping companies based in the Philippines over the course of two days."
Both campaigns used industry-specific jargon and relevant requests that demonstrated the attackers' deep knowledge of the targeted organizations and industry. Bitdefender's researchers don't guess at who might be behind the campaigns, but they note that the timing of the operation—occurring before and during a meeting between OPEC+ and the Group of 20 regarding oil production and pricing during the COVID-19 pandemic—"suggests motivation and interest in knowing how specific countries plan to address the issue."
Read more in the CyberWire Pro Research Briefing.
Get our free report about the latest cyber threats to industrial operations.
Read the report and get insights into ICS vulnerabilities, threat activity groups, and lessons learned from our hunting and incident response team. The report summarizes the 2019 threat landscape and offers defensive recommendations for industrial organizations.
Two iOS zero-days disclosed.
ZecOps researchers discovered and disclosed two iOS zero-days that can lead to remote code execution on up-to-date iPhones and iPads. The researchers say the flaws are being exploited in the wild, with the earliest attack observed in January 2018. The vulnerabilities affect iOS's default Mail application and can be exploited by sending "a specially crafted email" to a victim's email address. On iOS 13, the vulnerability can be triggered without user interaction. On iOS 12, the victim must open the email, but no further interaction is required.
ZecOps didn't attribute the attacks to any specific actor, but said they believe "these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications." They also note that they "are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier." ZecOps's CEO Zuk Avraham told Motherboard that the attacks they observed were likely launched by "someone who's spending budgets on buying exploits but they don't really have the technical capabilities to change those exploits for better OPSEC."
Motherboard observes that, while the attacks described by ZecOps seem highly targeted and probably won't affect the vast majority of people, users can temporarily delete the Mail app from their devices if they're concerned they could be a target.
Apple informed Reuters that the flaws will be patched in the next iOS update, and they've already been fixed in the publicly available beta release. The company also disputed ZecOps's claim that the flaws were exploited in the wild, saying in a statement to Bloomberg, "We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance."
ZDNet observes that other researchers have also questioned whether the flaws were actually exploited in the wild, pointing to the fact that the report bases its conclusion on the devices' crash logs. Dino Dai Zovi from Square wondered why the exploit would delete the original email to cover its tracks, but not delete the crash log as well. ZDNet explains that ZecOps may have been "merely seeing malformed emails triggering a benign bug, rather than malicious attacks against iOS users."
ZecOps told Reuters in response that it would release more information and proof-of-concepts once the patches were rolled out.
Earn a Master's in Cybersecurity Part-Time & Online at Georgetown
Looking to advance your cybersecurity career? Then the Georgetown University Master's in Cybersecurity Risk Management is for you. Ideal for working professionals, our program offers flexible options to take classes online, on campus, or through a combination of both—so you don’t have to interrupt your career to earn your degree. You'll leave the program with the expertise you need to effectively manage risks and navigate today’s increasingly complex cyber threats. Learn more.
APT32 conducts cyberespionage against Chinese government targets.
FireEye reports that APT32, a threat group thought to be associated with the Vietnamese government, has been conducting spearphishing campaigns against Chinese government targets since at least January 6th, 2020. The group's motive appears to be espionage with the goal of gathering intelligence on the COVID-19 pandemic; the targets were China's Ministry of Emergency Management and the government of Wuhan, the Chinese city where the disease is believed to have originated.
In response to FireEye's report, Vietnam's foreign ministry said "[t]he accusation is baseless," according to Reuters. Reuters also quotes China's foreign ministry spokesman as saying that cyberattacks against pandemic-fighting institutions should be condemned.
Small Business Administration discloses data exposure.
The US Small Business Administration (SBA) disclosed a data exposure that potentially revealed personal information belonging to nearly 8,000 small business owners who applied for assistance under the SBA's Economic Injury Disaster Loan (EIDL). According to a notification letter obtained by CNBC, the exposed data included "names, Social Security numbers, tax identification numbers, addresses, dates of birth, email, phone numbers, marital and citizenship status, household size, income, disclosure inquiry and financial and insurance information."
The exposure was due to a glitch on the loan application portal. If a user was in the portal and hit the page back button, they could have seen information belonging to a different applicant. The SBA has since fixed the issue, and said there was no evidence yet that any of the information had been misused. The Washington Post says the administration is offering one free year of credit monitoring to affected users.
Increase your effectiveness in stopping, containing, & preventing attacks.
Nintendo says around 160,000 accounts have been hacked.
Nintendo announced on Friday that approximately 160,000 Nintendo accounts have been improperly accessed in recent weeks, CNET reports. The company said the attackers may have viewed users' names, dates of birth, genders, countries or regions, and email addresses. While no credit card information was breached, the attackers could use the accounts to purchase games or in-game currency (and this did occur in some cases). The company has since disabled the ability to log into Nintendo accounts using Nintendo Network IDs (NNIDs), and will be forcing password resets for affected users.
Nintendo said the hackers logged into the accounts using NNIDs and "password information obtained illegally by some means other than our service." This might suggest credential stuffing, although the company said in its English statement that since the investigation is ongoing, "in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access."
ZDNet reported on Monday that an increasing number of Nintendo users were saying their accounts had been accessed from unknown IP addresses, with many of these users reporting that the hackers bought Fortnite currency using their accounts. ZDNet noted that some of the victims said they had used complex, unique passwords for their accounts, raising concerns that the attackers may be using something other than credential stuffing to gain access. As always, users are advised to set up two-factor authentication on their accounts.
More state-sponsored operations using COVID-19-themed phishbait.
Google’s Threat Analysis Group (TAG) published a report examining how state-sponsored threat actors are using the COVID-19 pandemic in their phishing expeditions. TAG says it's seen "over a dozen" of these groups using coronavirus-themed phishing lures. They don't attribute these activities to any specific countries, but they do name two threat actors who have been targeting international health organizations. One of these groups is Charming Kitten, which has been widely associated with the Iranian government and whose healthcare-focused activities were reported by Reuters earlier this month. The other group is Packrat, a South American threat actor whose alignment is unclear. The researchers also describe a campaign that targeted US government employees by posing as fast food companies offering free meals and coupons.
TAG emphasizes that it hasn't seen an increase in state-sponsored cyber activity, only a shift in phishbait. The researchers note that they actually observed less government-backed attacks in March compared to the previous two months, which they speculate could be due to "productivity lags and issues due to global lockdowns and quarantine efforts."
Four vulnerabilities reported in IBM Data Risk Manager.
Security researcher Pedro Ribeiro disclosed four unpatched flaws in IBM Data Risk Manager (IDRM), three of which could be chained together to "achieve unauthenticated remote code execution as root." He also released Metasploit modules for exploiting the flaws.
IDRM is an enterprise security offering from IBM which is used to aggregate and visualize threat data from different security tools. Ribeiro decided to go public with the bugs after receiving a dismissive response from IBM, even though he offered the private vulnerability report for free. IBM has since told BleepingComputer that "[a] process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued."
The company published this advisory on Tuesday, saying that two of the flaws had been fixed in version 2.0.4 of IDRM, while another (a default password issue) could be fixed by the user. IBM is still investigating the fourth flaw, which is an authentication bypass vulnerability.
Want to peek inside the mind of the CyberWire's new CSO, Rick Howard?
If you’re looking for views of someone in the know, check out The CyberWire's new weekly podcast featuring our very own Rick Howard in CSO Perspectives, the newest addition to CyberWire Pro+. CSO Perspectives is currently available for you to listen for free in the Daily Podcast feed for a limited time before transitioning to the CyberWire Pro+ feed. Listen and subscribe today!
Patch news.
Microsoft released an out-of-band patch for remote code execution vulnerabilities affecting Office, Office 365 ProPlus, and Paint 3D, Threatpost reports. The flaws could be exploited by sending "a specially crafted file containing 3D content to a user and convinc[ing] them to open it."
Crime and punishment.
The US Supreme Court will hear a case later this year that could potentially limit the scope of the Computer Fraud and Abuse Act (CFAA), Reuters reports. The case involves a former police officer in Georgia who was convicted in 2017 for accepting $6,000 to run a license plate in order to see if an exotic dancer was an undercover cop. The former officer was convicted on one count of violating CFAA and one count of honest services fraud. The latter charge was dismissed by an appeals court last year, and the man now contends that since he was authorized to access the computer he used to conduct the search, the CFAA conviction should be overturned as well.
HackRead reports that a hacker returned more than $24 million worth of stolen cryptocurrency after the thief realized they'd exposed their IP address and other metadata during the attack. The hacked platform, Lendf.me, sent the hacker a message simply stating, "Contact us, for your better future."
Courts and torts.
CyberScoop reports that Crown Sterling, a cryptography company whose CEO was heckled during his Black Hat speech for presenting what Bruce Schneier calls "complete and utter snake oil," has reached a confidential settlement with Informa Tech Holdings, the organizer of Black Hat USA. Crown Sterling had sued the event's organizers for allegedly participating in a "defamatory smear campaign." Crown Sterling said in a statement on Monday that the two companies "have entered into a confidential settlement of the civil action brought by Crown Sterling relating to its participation at Black Hat USA 2019 on terms that are acceptable to both parties. In connection with the settlement and with respect to Crown Sterling's sponsored session at Black Hat USA 2019, Informa would like to clarify that to its knowledge Crown Sterling's presentation was in compliance with Black Hat's Code of Conduct and its Sponsorship and Exhibitor Agreement. Crown Sterling recognizes the unique and important contribution of Black Hat USA and looks forward to future conferences."
Policies, procurements, and agency equities.
The UK is seeking to expand the Investigatory Powers Act of 2016 (also known as the "Snooper's Charter") to give surveillance powers to five additional government agencies, the Guardian reports. According to a memorandum posted online, the government would like to grant such powers to the Civil Nuclear Constabulary, the Environment Agency, the Insolvency Service, the UK National Authority for Counter Eavesdropping (UKNACE), and the Pensions Regulator. (The Register summarizes what each of these agencies does.) The memorandum states that these agencies "will gain the power to obtain communications data as they are increasingly unable to rely on local police forces to investigate crimes on their behalf."
The US Defense Department's Cybersecurity Maturity Model Certification (CMMC) set of standards for government contractors is still on track, National Defense Magazine reports, although one potential snag involves in-person audits, which can't be conducted until stay-at-home orders are lifted.
Read more in our CyberWire Pro Policy Briefing.
Fortunes of commerce.
Zoom's user base grew from 200 million to 300 million in the past three weeks, CNET reports. The company posted its 90-day security update on Wednesday, announcing that all Zoom customers will begin using AES 256-bit GCM encryption on May 30th. Zoom 5.0, expected to release this weekend, will also add a "Report a User" feature to flag misuse.
Mozilla announced that it's offering larger rewards through its bug bounty program (up to $10,000), and will begin accepting duplicate reports when multiple researchers report the same bug within 72 hours of each other. In these instances, the bounty will be split between each reporter, with higher portions going to those who submitted higher-quality reports.
Mergers and acquisitions.
London-based private equity firm Apax Partners has completed its acquisition of Colorado-headquartered risk assessment provider Coalfire for an undisclosed amount.
Investments and exits.
Mountain View, California-based event stream processing company Confluent has raised $250 million in a Series E round led by Coatue Management, with participation from Altimeter Capital, Franklin Templeton, Index Ventures, and Sequoia Capital. The company is now valued at $4.5 billion.
San Francisco-based digital identity management company ForgeRock has raised $93.5 million in Series E funding from Riverwood Capital and its existing investors.
Tel Aviv-based behavioral biometrics company BioCatch has raised $145 million in a Series C round led by Bain Capital Tech Opportunities, with participation from Industry Ventures, American Express Ventures, CreditEase, Maverick Ventures, and OurCrowd.
Sunnyvale, California-based breach-and-attack simulation provider SafeBreach has closed a $19 million Series C round led by OCV Partners, with participation from Sequoia Capital, Deutsche Telekom Capital Partners, DNX Ventures, Hewlett Packard Pathfinder, and PayPal.
Coder, a Texas-headquartered startup that offers a secure, cloud-based code development suite, raised $30 million in a Series B round, Crunchbase News reports. The round was led by GGV Capital, with participation from In-Q-Tel, Uncork Capital, and Redpoint Ventures.
Boston-headquartered red teaming company Randori has raised $20 million in a Series A round led by Harmony Partners, with participation from existing investors Accomplice, .406 Ventures, and Legion Capital.
Tel Aviv-based computing performance optimization company Granulate has secured $12 million in a Series A funding round led by led by Insight Partners, with participation from TLV Partners and Hetz Ventures.
India-based application security startup Indusface has raised $5 million in funding from Tata Capital Growth Fund II.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.