Cyber adjuncts to kinetic strikes in the Middle East.
The US and Iran appear to be seeking de-escalation following the US drone strike against Quds Force commander General Soleimani and Iran's retaliatory rocket barrage against two US bases in Iraq. The New York Times predicts Tehran will now turn its focus to cyber operations.
CISA on Monday released a warning not to underestimate Tehran’s capabilities. In a follow-up to its Director’s tweeted advice to review what Iran’s cyber operators have attempted and accomplished in cyberspace during recent years, the agency singles out four incidents as particularly worthy of study: distributed denial-of-service actions against the US financial sector from late 2011 through mid-2013; unauthorized access to control systems at the Bowman Street Dam in Rye, New York, in August and September of 2013; a data theft and wiper attack against the Sands Las Vegas Corporation in February 2014; and an espionage operation between 2013 and 2017 that the US Justice Department attributed to Iran's Mabna Institute.
CyberScoop reports that the Multi-State Information Sharing and Analysis Center (MS-ISAC) has also warned its members to watch out for Iranian cyberattacks. And New York State’s Department of Financial Services has also advised banks and other institutions that they may well receive the attentions of Iranian hackers.
A nuisance attack in solidarity with Tehran.
There’s also been one minor attack on a US Government website that would seem to represent the work of either Tehran’s operators or of patriotic hacktivists aligned with Iran. The website of the US Federal Depository Library Program (a GPO site that makes official documents broadly available) was defaced with Iranian messaging, Forbes reports. Forbes characterizes it as a “noisy” attack, which is usually the case with cyber vandalism. The Department of Homeland Security is investigating, and, as NBC News quotes CISA representatives, it’s too early for firm attribution: "At this time, there is no confirmation that this was the action of Iranian state-sponsored actors."
As the New York Times points out, the action amounted to picking low-hanging fruit, more target of opportunity than high-value target. The group that claimed responsibility calls itself the “Iran Cyber Security Group Hackers,” but even people disposed to look for the hand of Tehran aren’t immediately concluding that this crew is actually working under the direction of the Islamic Republic. They may amount to nothing more than sympathetic hacktivists.
APT33 is targeting the US electric sector.
Attacks against industrial control systems obviously represent a far more serious threat from Tehran. Dragos on Thursday released a report stating that the Magnallium threat group has been conducting widespread password-spraying attacks against electric utilities and oil and gas companies in the US. Dragos doesn't attribute threat actors to nation-states, but others have tied Magnallium to the Iran-linked group APT33 (also known as Elfin or Refined Kitten). A second group which Dragos tracks as "Parisite" appears to be working alongside Magnallium by probing for vulnerabilities in VPN software at companies in the same sectors.
It's worth noting that this activity has been ongoing throughout 2019—it wasn't spurred by Soleimani's death. Accordingly, Dragos's CEO Rob Lee told WIRED that his "concern with the Iran situation is not that we're going to see some new big operation spin up. My concern is with access that groups might already have." Lee emphasized, however, that while ICS-focused attacks are a real concern, they're extremely unlikely to cause widespread blackouts.
Austria's Foreign Ministry is hacked (Fancy Bear is the usual suspect).
Austria’s Foreign Ministry was hacked late last week in what appears to have been a foreign espionage campaign. Vienna is being tight-lipped about attribution and other details of the attack, but the BBC brackets its own reporting of the few known facts with a review of Russian cyber espionage campaigns, which suggests the way speculation is currently running. The evidence for this is circumstantial almost to the point of being a matter of a priori probability, but the word on the street, according to Infosecurity Magazine, is that this looks like the work of Fancy Bear. Meanwhile, Austrian parliamentarians have called their government "unprepared" to withstand cyberattacks, BleepingComputer says.
Google is OK (for now) with having ToTok back in the Play Store.
Google has permitted the ToTok chat app back into the Play Store despite a report by the New York Times last month that claimed the popular app is actually spyware "used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones." The report cited US intelligence officials who believe the app is linked to Emirati cyberintelligence firm DarkMatter.
After the Times notified Google and Apple, both companies pulled the app from their stores in order to investigate. Google reinstated the app without comment this past Saturday, and the Verge infers from the action that Mountain View didn't find anything damning during the course of its investigation. Apple's investigation is ongoing, but security researcher Patrick Wardle analyzed the iOS version of the app and found that ToTok "simply does what it claims to do…and really nothing more." Wardle observed, however, that if the app is a government surveillance tool, the evidence wouldn't need to be visible within the app itself.
WIRED notes that this places both Google and Apple in a difficult position. If they remove the app based on the word of anonymous US government officials, they'll set a tricky precedent that other governments may try to abuse. If, on the other hand, they restore the apps, they'll be implicitly suggesting that alleged government surveillance tools are permitted in their stores so long as they don't violate company policies. It's not clear which course Apple will take, but Google appears to have decided it won't remove ToTok without hard evidence that the app is being misused.
Pre-installed malware found on US government-funded phones.
Malwarebytes has found "unremovable" malware pre-installed on low-cost Android smartphones developed by Assurance Wireless as part of the US Federal government's Lifeline program. The malicious components are installed on Assurance's cheapest phone, the UMX U686CL, which is available to low-income Americans through the government-funded program. The device's Wireless Update component is a variant of the Adups malware. Adups is authored by a Chinese third-party firmware provider, the Shanghai Adups Technology Company, which provides a Firmware Over The Air (FOTA) update software system for low-budget Android Phones. In 2017, Kryptowire reported that the update system essentially functions as spyware, granting Adups complete remote control over devices.
Malwarebytes also discovered that the UMX U686CL's Settings app contains code that's nearly identical to that of two known mobile Trojan droppers. The researchers didn't observe this code downloading any additional malware, but they've received reports from customers that the app installs the HiddenAds adware.
UMX devices are produced by a Chinese company, but the researchers emphasize that they "cannot confirm if the makers of the device are aware there is Chinese malware pre-installed."
Ransomware moves into data theft.
Computer Weekly has confirmed that foreign exchange service Travelex was hit by Sodinokibi ransomware. BleepingComputer reports that the attackers have threatened to sell data it stole during the attack if Travelex refuses to pay $6 million in ransom (bumped up from $3 million). Travelex maintains that there's still no evidence any data was stolen, but the Sodinokibi actors say they'll begin selling "DOB + SSN + CC" on the black market if they don't receive the ransom money.
It's worth noting that threat intelligence company Bad Packets warned Travelex in September that seven of the company's Pulse Secure VPN servers were vulnerable to CVE-2019-11510, but the servers weren't patched until November. CVE-2019-11510 was disclosed in April 2019, so Travelex's servers remained vulnerable for eight months. It's not clear if these servers were the source of the Sodinokibi attack, but they certainly could have provided an opening.
The city of Pensacola, Florida, is offering free LifeLock identity protection to approximately 57,000 people whose data may have been affected by the Maze ransomware attack the city suffered in December 2019. Pensacola maintains that it doesn't think any data were stolen, but it's providing the identity protection just to be safe. The News Journal points out that the Maze gang published more than two gigabytes of data taken from the city in an effort to pressure Pensacola into paying up.
GCHQ investigates August's London Stock Exchange outage.
The Wall Street Journal says that Britain’s GCHQ is investigating the possibility that a London Stock Exchange outage in August, regarded as an accidental glitch, may have in fact been a cyber attack. The London Stock Exchange said at the time that “a technical software issue had temporarily prevented trading in a range of securities,” but it hasn’t provided specifics. British authorities are looking into the possibility that, if the incident was an attack, the attackers’ goal might have been erosion of confidence in the financial sector specifically and in Britain’s critical infrastructure generally.
Mozilla released a patch for a critical vulnerability in Firefox 72 that's being used in targeted attacks in the wild. Naked Security advises users to promptly ensure they've updated to Firefox version 72.0.1.
Crime and punishment.
NBC News reports that the FBI has asked Apple to help it unlock two iPhones believed to have been owned by Lieutenant Mohammed Saeed Alshamrani, the individual believed to have been the shooter who murdered three people at Pensacola Naval Air Station last month before being shot dead by a responding law enforcement officer. Apple told CNBC that it's working with the FBI in the investigation, but the company also says it intends to adhere to its policy of standing firm on encryption of data in Apple devices. Cupertino said in a statement that "[w]hen the FBI requested information from us relating to this case a month ago, we gave them all of the data in our possession and we will continue to support them with the data we have available." Patently Apple points out that when law enforcement wants access to an Apple device, they typically turn to mobile forensics company Cellebrite. However, NBC notes that Alshamrani appears to have fired a round into one of the phones, which may have hindered the Bureau's conventional means of access. The Washington Post says the FBI is particularly keen on gaining access to the contents of the damaged phone, which the suspect may have intended to destroy.
KBTX TV reports that law enforcement in McLennan County, Texas, have arrested a Lubbock man named Andy Castillo, who's accused of stalking realtors online and threatening their children. He's currently being held without bond in a Lubbock jail, where the alleged creep faces a charge of "criminal solicitation of aggravated sexual assault."
Courts and torts.
The US 9th Circuit has ruled that Enigma Software's lawsuit against Malwarebytes may proceed. The two security firms are embroiled in litigation over Enigma's allegation that Malwarebytes has engaged in unfair and anticompetitive practices.
YouTube, in accordance with agreements that accompanied the $170 million fine it received from the US Federal Trade Commission in September 2019, is now limiting both ad targeting and data collection associated with content produced for children, TechCrunch reports.
Google has agreed to a settlement of consumer class action suits over data leaks associated with Mountain View's now defunct social media platform Google+. Bloomberg Law says the amount of the settlement is $7.5 million.
Policies, procurements, and agency equities.
The Moscow Times notes that Russia's new autarkic Internet law has so far had little effect, and its future impact is still uncertain. The Russian government is reportedly testing deep-packet inspection technology and building its own Domain Name System, but observers suspect that both of these will prove more difficult to implement countrywide than the government hopes. The Times observes that "the coming year will show if Russia is going to enforce the internet and tech laws it already has, or just forget about them as they fall through loopholes."
India is making changes to its intermediary liability laws, and TechCrunch reports that several tech companies including GitHub, Mozilla, and Cloudflare have petitioned the Indian government for transparency about amendments to the law, which may impact the way the companies and India's citizens process information online. The government is expected to submit the final draft of the law to the Supreme Court by January 15th, but so far no one outside of the Indian government knows exactly what the proposal contains.
Reuters reports that the White House has issued proposals for principles that would shape future regulation of artificial intelligence. The administration recommends that federal agencies "conduct risk assessment and cost-benefit analyses prior to any regulatory action on AI, with a focus on establishing flexible frameworks rather than one-size-fits-all regulation."
Fortunes of commerce.
Google's Project Zero will now wait a full 90 days before disclosing vulnerabilities in order to give vendors time to roll out their patches. In the past, Project Zero would set a 90-day deadline and publicly disclose the details either as soon as the bug was fixed or at the deadline if the bug wasn't fixed in time. This approach occasionally attracted criticism, especially when the researchers would release details on unpatched vulnerabilities, but Google maintains that the policy succeeded in motivating vendors to develop patches quickly. However, as Project Zero's manager Tim Willis explains in a blog post, the policy often resulted in patches that were rushed and half-baked. Project Zero hopes the new policy will help vendors test their patches and improve patch adoption.
Mergers and acquisitions.
Accenture will acquire Symantec’s Cyber Security Services business from Broadcom for an undisclosed amount. GovCon Wire says the acquisition is expected to close in March.
Insight Partners is acquiring Swiss data management company Veeam Software for $5 billion, Computing reports.
Cloudflare has acquired Washington-based browser isolation startup S2 Systems for an undisclosed sum, SiliconANGLE reports.
Insight Partners has acquired Palo Alto, California-based enterprise device security firm Armis for $1.1 billion, according to ZDNet.
Email security provider Mimecast has acquired Tel Aviv-based phishing prevention startup Segasec. The terms of the deal weren't disclosed, but Calcalist, citing an anonymous source familiar with the deal, reports that it was around $40 million.
Mastercard is acquiring Utah-based risk assessment automation provider RiskRecon for an undisclosed sum, according to Silicon Republic.
Rockwell Automation is acquiring Israeli IT/OT cybersecurity company Avnet Data Security.
Spanish information technology and defense systems company Indra is acquiring Madrid-based cybersecurity company SIA, Jane's 360 reports.
PE Hub reports that Dell Technologies will try to sell RSA Security for at least $3 billion. Morgan Stanley has been retained to assist in the process, which will begin early this year, according to SDxCentral.
Investments and exits.
New York City-based data privacy and protection provider BigID has secured $50 million in funding from Tiger Global Management.
New Jersey-based enterprise software vendor AvePoint has received $200 million in a Series C funding round led by TPG Sixth Street Partners, TechCrunch reports.