Malware for air-gapped systems.
Three security firms have published reports on malware designed to exploit air-gapped computers. ESET researchers uncovered malware they call "Ramsay" that possesses shared artifacts with a backdoor used by the DarkHotel APT, although ESET doesn't attribute Ramsay to any group. Ramsay is "tailored for collection and exfiltration of sensitive documents" within air-gapped networks, and it's delivered to those networks via removable media.
Trend Micro describes USBferry, a newly discovered malware strain used by the Tropic Trooper APT. The malware was deployed in a recent campaign targeting the "Taiwanese and the Philippine military’s physically isolated environment." Tropic Trooper has apparently been using USBferry since at least December 2014. This malware spreads to air-gapped systems via infected USB drives. The researchers explain that "Tropic Trooper is aware that main military or government agencies may have protection strategies in place in physically isolated environments, such as the use of biometrics, secure USB for data transfers, or plugging the USB device into a quarantined machine before using it in a physically isolated environment. Therefore, Tropic Trooper chooses to target related organizations and use them as initial footholds. In this case, we observed how Tropic Trooper actors successfully moved from a military hospital to the military’s physically isolated network."
Kaspersky has been tracking a Trojan using the same codebase as COMPfun that has the capability to spread from one computer to another by infecting USB drives. The Trojan is being used in a campaign targeting European diplomatic entities. The malware's dropper is a spoofed visa application, but the researchers aren't sure how the dropper is delivered. Based on the campaign's victims, Kaspersky attributes the malware to the Russian state-sponsored actor Turla with a "medium-to-low level of confidence."
Iran suspected in cyberattack against Israeli water infrastructure.
Israel thwarted a cyberattack in April that targeted programmable logic controllers operating valves for civilian water distribution networks, and Fox News reports that the attack is now being linked to Iran. The Washington Post cites "two officials of a foreign government that monitored the attack in real time" as saying the attack was "coordinated, but not particularly sophisticated." The attack did not cause any damage. Axios reports that Israel's security cabinet held a top-secret meeting late last week to discuss the incident, and the publication quotes a senior Israeli official as saying, "This was a very unordinary cyber attack against civilian water facilities which is against every ethic and every code even in times of war. We didn't expect this even from the Iranians. It is just not done." The Washington Post says Iran denies any role in the attack.
Thunderspy DMA attacks can provide full access to a system's data.
A researcher at the Eindhoven University of Technology discovered seven vulnerabilities related to Intel Thunderbolt ports that can allow a hacker with physical access to a computer to gain access to all of the computer's data. The researcher, Björn Ruytenberg, says the only mitigation is disabling the Thunderbolt port. The attack, which Ruytenberg calls "Thunderspy," bypasses some mitigations put in place to protect against the Thunderclap vulnerabilities disclosed last year. Thunderspy can be partially mitigated by Intel's Kernel DMA Protections present in computers produced since 2019.
WIRED notes that the attack shouldn't cause concern for the majority of users since it isn't trivial to execute and requires physical access to the machine, but Ruytenberg observes that "[t]hree-letter agencies would have no problem miniaturizing this."
In response to the research, Intel told WIRED, "For all systems, we recommend following standard security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers."
China-linked disinformation network on Facebook and Twitter.
Bellingcat describes an ongoing Chinese information operation using a network of more than 2,500 bots on both Twitter and Facebook to spread criticisms of exiled Chinese businessman Guo Wengui, who now resides in the US. Much of the operation focuses on Guo's recent statements criticizing the Chinese government's response to COVID-19. The same network of accounts also criticized the Hong Kong protests and shared cryptocurrency scams in posts with screenshots of fake Elon Musk tweets.
For more, see the CyberWire Pro Disinformation Briefing.
European supercomputers attacked.
The UK-based ARCHER academic supercomputing system sustained a "security exploitation" against its login nodes on Monday, which led its administrators to disable access to the system, the Register reports. They've also taken ARCHER offline while the incident is investigated, and they'll provide an update this coming Monday as to when it will be returned to service. ARCHER's managers warned on Wednesday that they "now believe this to be a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe." The Register says that "knowledgeable" speculation points out that ARCHER is an "obvious resource for research work by computational biologists as well as those modelling the potential further spread of the novel coronavirus," which also makes it an obvious target for espionage.
CyberScoop notes that Der Spiegel reported attacks against "at least six supercomputers in Germany," including the Leibniz Supercomputing Center and the Hawk computer at the Stuttgart High Performance Computing Center. The bwForCluster NEMO computer in Freiburg also reported seven different attacks, with the earliest occurring in January. The attackers in that instance obtained root privileges on the system. It's not clear if the attacks are connected or who is behind them.
CISA lists the top ten most exploited vulnerabilities.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) published a list of the top ten most exploited vulnerabilities between 2016 and 2019. The vulnerabilities are CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. The alert also mentions the malware families known for exploiting each of the flaws.
The most commonly exploited vulnerabilities were located in Microsoft’s Object Linking and Embedding (OLE) technology, and the three flaws most favored by Chinese, Iranian, North Korean, and Russian state-sponsored threat actors all involved OLE.
The agency also notes that Chinese-government-linked groups in 2019 often made use of CVE-2012-0158, a Windows vulnerability disclosed in 2012 that the US government warned in 2015 was the top flaw exploited by Chinese threat actors. CISA concludes that "[t]his trend suggests that organizations have not yet widely implemented patches for this vulnerability and that Chinese state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective."
More OceanLotus-linked malicious Android apps identified.
Researchers at Bitdefender offer their own findings related to a long-running mobile malware campaign described by Kaspersky last month and by BlackBerry Cylance in October 2019. The campaign has been tied to the Vietnam-aligned threat actor OceanLotus (APT32), and it involved uploading benign applications to the Google Play Store and various third-party marketplaces, then updating those applications with information-stealing capabilities.
Bitdefender identified thirty-five additional malware samples, as well as evidence suggesting "the campaign may have used a legitimate and potentially stolen digital certificate to sign some samples." The researchers also found that the campaign began eight months earlier than previously thought, with the first malicious sample being uploaded to Google Play in April 2014.
For more, check out the CyberWire Pro Research Briefing.
Patch news.
Microsoft on Tuesday released fixes for 111 vulnerabilities across twelve products, which Computing notes makes it the third-largest Patch Tuesday update in the company's history. Thirteen of the bugs are rated "Critical," while ninety-one are classed as "Important."
Adobe addressed 36 security flaws in Acrobat and Reader for Windows and macOS, some of which could lead to arbitrary code execution.
Crime and punishment.
Ghana sentenced three former government officials to prison for "stealing, using public office for personal gains, and willfully causing financial loss to the state" in relation to a purchase of NSO Group's Pegasus tool, Ghana Business News reports. The officials, who include the former Director-General and the former Board Chairman of the country's National Communications Authority (NCA), apparently spent $4 million on NSO's product, although it's not clear if the tool was ever used. A former local representative of NSO Group had also been charged in the case, but he was acquitted. A spokesperson for NSO told CyberScoop, "NSO Group cannot comment directly on an internal Ghanaian government matter, but we understand from local reports that the sentences announced [Tuesday] were for internal misconduct and misappropriation of funds, and had nothing to do with any alleged deed or action by NSO Group." The Times of Israel observes that "[t]he court decision appears to represent the first time in the world that a government official has been jailed for doing business with NSO."
Courts and torts.
Facebook will pay a total of $52 million to 11,250 current and former content moderators as part of a class action lawsuit in which the plaintiffs alleged that they'd suffered mental trauma after viewing disturbing content day-in and day-out. Each moderator will receive a minimum of $1,000, according to the Verge, with higher payments for moderators who have been diagnosed with mental health conditions such as PTSD. The company will also provide weekly sessions with a mental health professional for moderators who routinely see graphic content.
The director of Rutgers University Law School’s International Human Rights Clinic and her students filed a lawsuit in New Jersey in an attempt to prevent the state from deploying Internet-based voting systems, which are widely seen as inherently insecure, the Washington Post reports.
Policies, procurements, and agency equities.
The US FBI and CISA issued a joint warning regarding espionage by Chinese intelligence services targeting research into COVID-19. The warning states that the FBI "is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors and non-traditional collectors. These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options." Based on past US government advisories, the term "non-traditional collectors" can be assumed to refer to students and researchers already in place at US institutions. Reuters quotes a Chinese Foreign Ministry spokesman as saying the allegations are "slander," and that any interference with COVID-19-related research should be condemned.
The Wall Street Journal reports that Iran is also engaged in espionage against organizations conducting COVID-19-related research, and some of these operations may have resulted in data corruption. Such corruption may have been accidental, intentional, or simply a by-product of the hackers trying to cover their own tracks.
The US Office of the Director of National Intelligence (ODNI) announced last Friday that four separate ODNI cyber-focused organizations will be consolidated to form the IC Cyber Executive. This organization "will provide a single ODNI focal point for the cyber mission, which will strengthen the IC's cyber posture to better defend U.S. national security interests." ODNI is also sunsetting its Directorate of National Security Partnerships (NSP) and transferring its responsibilities to other DNI organizations.
The US Senate on Wednesday voted to amend the Foreign Intelligence Surveillance Act (FISA) in what POLITICO calls "a legislative coup for privacy advocates and civil libertarians." The bill now returns to the House, where its future is uncertain.
France passed a law requiring online content providers to remove child abuse and terrorism content from their platforms within an hour or be fined up to four percent of their global revenue, Reuters reports. Other "manifestly illicit" content must be taken down within twenty-four hours.
The US Department of Commerce has issued a 90-day extension of the Temporary General License authorizations for Huawei and its affiliates, providing "an opportunity for users of Huawei devices and telecommunication providers—particularly those in rural U.S. communities—to continue to temporarily operate such devices and existing networks while hastening the transition to alternative suppliers."
The Telegraph reports that the British government is considering requiring people to install two different contact-tracing apps before they're permitted to cross the border between Northern Ireland and the Republic of Ireland. The Republic of Ireland is working with Google and Apple to develop its own contact-tracing app, which will be incompatible with the app being developed by NHSX.
Meanwhile, the NHSX's app is being trialed on the Isle of Wight, and it's getting off to a somewhat rocky start. Gizmodo calls the app "a battery-draining mess that can be confusing to use." It's also buggy, particularly concerning its use of Bluetooth, which is the central technology it uses for measuring distance. On top of the technical issues, the app contains links with Google Analytics tracking tags, which is technically in violation of GDPR since the app doesn't ask for user consent to conduct such tracking. Gizmodo notes that all of these issues could be ironed out before the app's wider release, but the rollout still seems rushed.
See the CyberWire Pro Policy Briefing for more.
Fortunes of commerce.
Zero-day seller Zerodium tweeted on Wednesday that it "will NOT be acquiring any new Apple iOS LPE, Safari RCE, or sandbox escapes for the next 2 to 3 months due to a high number of submissions related to these vectors. Prices for iOS one-click chains (e.g. via Safari) without persistence will likely drop in the near future." CyberScoop quotes researchers who suspect Apple's difficult-to-work-with bug bounty program may have dissuaded hackers from reporting vulnerabilities to the company itself.
Motherboard reports that NSO Group marketed a hacking tool called "Phantom" to local US police forces, despite the company's claims that its software can't be used to target American citizens. A former NSO employee told Motherboard that Phantom was simply the company's flagship Pegasus tool under a brand name used for US territory. NSO told Motherboard in a statement, "We stand by previous statements that NSO Group products sold to foreign sovereigns cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology which enables targeting phones with US numbers."
US-based chip manufacturer Intel is in discussions with the US Defense Department about ramping up its domestic semiconductor production amid supply-chain security concerns, Defense News reports. Additionally, the Wall Street Journal says Taiwan Semiconductor Manufacturing Co. (TSMC) will build a $12 billion chip manufacturing plant in Arizona.
Labor markets.
TechRepublic offers industry specific advice for those looking to land a job in cybersecurity.
Mergers and acquisitions.
Switzerland-headquartered code security firm SonarSource has acquired Germany-based application security company RIPS Technologies.
Missouri-based private equity firm Thompson Street Capital Partners has acquired Wisconsin-based encryption and data compression company PKWARE for an undisclosed amount.
Utah-based certificate and key management company Venafi is acquiring London-headquartered Kubernetes startup Jetstack.
Palo Alto, California-headquartered VMware will acquire Sunnyvale, California-based Kubernetes security startup Octarine.
Investments and exits.
New York-based Active Directory security firm Semperis has raised $40 million in a Series B round led by Insight Partners, with participation from existing investors.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.