Cyberattack on Iranian port attributed to Israel.
The New York Times reports that Israel was behind a cyberattack on May 9th against Iran's Shahid Rajaee port in the Strait of Hormuz. The paper cites "high-ranking intelligence officials and experts in the Middle East who are kept informed of covert Israeli actions in the region" as saying the attack was a "direct response" to a failed cyberattack allegedly launched by Iran against an Israeli water facility in April. The Iranian-linked attack wouldn't have caused much damage even if it had been successful, and the Times says Israel's response was intentionally proportionate: the port's computer systems were knocked offline, causing widespread disruptions to shipping traffic, but leaving no physical or permanent damage. The Washington Post reports that the effects of the attack were more serious than Iranian officials have indicated, however. The Post cites satellite imagery showing "dozens of loaded container ships" waiting off the coast days after the attack took place.
Israeli websites defaced.
On Thursday, more than 2,000 Israeli websites were defaced with an anti-Israeli YouTube video along with code that asked for permission to use visitors' webcams, ZDNet reports. In some cases, the code attempted to take a picture of the user and send it to a remote server. The majority of the affected sites were hosted on the Israeli WordPress hosting service uPress. uPress stated that the attackers made use of a vulnerability in a WordPress extension.
Multiple media outlets initially attributed the attacks to Iran, but Haaretz and others say there's no evidence to back this up. The hacks were claimed by a group calling itself "Hackers of Saviour," and were apparently timed to coincide with the start of Jerusalem Day on May 21st. Check Point told Haaretz that the group appears to be operating from Turkey, the Gaza Strip, and North Africa.
Silent Night builds on ZeuS's code.
Malwarebytes and HYAS have published a report on a new malware family based upon the venerable ZeuS banking Trojan. The new Trojan is called "Silent Night," and its first compilation date appears to have been in late November 2019. It's being sold by its author on Russian-language underground forums at $2000 for a "general build" and $4000 for a "unique build." A fourteen-day trial alone is $500, and buyers can shell out an extra $1000 for hidden virtual network computing (HVNC) functionality. Silent Night's author claims he wrote the Trojan by himself over the course of more than five years and "on average about 15k ~ hours were spent," which resulted in "the ideal banking trojan."
The malware is being distributed via phishing campaigns with malicious documents. The researchers are certain the malware is being used by multiple actors, some of whom are more sophisticated than others, and they "predict with moderate confidence an evolution of the bot from something that anyone with a budget can buy, into a vehicle for one group to conduct banking theft at scale."
Proofpoint researchers on Wednesday outlined their own observations on the malware (which they track as a ZLoader variant), writing that "[s]ince we started observing the new variant in December 2019, it has become popular and widespread. At the time of writing, we are documenting at least one ZLoader campaign per day by a variety of actors primarily targeting organizations in the United States, Canada, Germany, Poland, and Australia."
Winnti Group compromises video game companies.
ESET says the Winnti Group has used a new backdoor against several MMO video game companies based in South Korea and Taiwan. In one instance, the attackers breached the company's build orchestration server, putting them in a position to Trojanize game executables. In another incident, they breached game servers, potentially allowing them to make money by tampering with in-game currencies. ESET's researchers note that compromising software developers to Trojanize legitimate applications is consistent with past Winnti Group campaigns, and they point out that the "new implant shows that the Winnti Group is still actively developing new tools using multiple open source projects; they don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware."
REvil operators threaten to leak celebrity data.
The operators of the REvil ransomware (also known as Sodinokibi) have stolen data from Grubman Shire Meiselas & Sacks (GSMS), a New York law firm that represents various celebrity clients, and are demanding $42 million in exchange for keeping the data confidential. The hackers first published 2.4 GB of documents belonging to Lady Gaga, then claimed they would be releasing "dirty laundry" on Donald Trump (even though, as Page Six notes, the president has never been a client of the firm).
The hackers then published 169 emails containing what they called "the most harmless information" on President Trump. While the hackers themselves said these emails were harmless, Forbes observes that they are "about as far from dirty laundry as you can get." It seems as though the crooks simply searched the trove of data for the word "trump," and concluded that these messages were somehow relevant to the president. As a result, many of the missives use "trump" as a verb or simply mention the president incidentally. It's not clear if the attackers have anything more substantial pertaining to President Trump, but Forbes concludes that "there is absolutely nothing here to suggest that they do." In any case, Infosecurity Magazine reports that the attackers claim to have sold their Trump-related data and are now planning to auction off data connected to Madonna.
The law firm told Page Six that "[w]e have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law," suggesting that the FBI may be considering the incident as terrorism. However, the Bureau told BleepingComputer, "Unless the FBI determines the Ransomware was deployed by a designated terrorist organization or nation state, the FBI treats Ransomware investigations as criminal matters."
Cryptomining on supercomputers.
ZDNet reports that cryptomining may have been the motivation behind a wave of cyberattacks against supercomputers in Europe. Cado Security cites a report from the European Grid Infrastructure (EGI) outlining an incident involving an attacker "currently targeting academic data centers for CPU mining purposes." EGI says "[t]he attacker is hopping from one victim to another using compromised SSH credentials." Cado cautions that there's no hard evidence that the attacks against supercomputers are related, but adds that similar filenames and other clues indicate that this could be the case. Likewise, security researcher Tillmann Werner says the theory is still speculation, although he believes cryptomining is "the most likely of all hypotheses."
Observers initially suspected that the attackers were conducting espionage, since these computers are being used to conduct research into COVID-19. While cryptojacking is generally regarded as low-severity compared to other types of cyberattacks, ZDNet notes that the downtime resulting from these attacks has probably delayed coronavirus-related research. The UK's ARCHER National Supercomputing Service, for example, was taken offline for eleven days.
Verizon releases 2020 DBIR.
Verizon this week released its 2020 Data Breach Investigations Report (DBIR). The report stresses that stolen credentials are a key component of most breaches, so attackers have grown more reliant on phishing and credential theft. For the same reason, password dumpers were the most commonly observed type of malware.
The report found that 86% of breaches were financially motivated (compared to 71% in last year's report), and 55% were attributed to organized criminal groups. The number of breaches attributed to errors, particularly misconfigurations, rose noticeably, but the researchers suspect this is due to increased reporting rather than an increase in errors, so they regard this as a positive trend.
See more in the CyberWire Pro Research Briefing.
Patch news.
Microsoft on Thursday began rolling out a new stable version of the Edge browser, which incorporates fixes for twenty-four vulnerabilities in the Chromium project.
Adobe issued out-of-band security updates for Premiere Rush, Premiere Pro, Audition, and Character Animator. BleepingComputer notes that a vulnerability in Character Animator was rated "Critical," and could have led to remote code execution.
Cisco released a patch for a critical flaw in Cisco Unified Contact Center Express (Unified CCX) that could have allowed an attacker to achieve remote code execution as root by "sending a malicious serialized Java object to a specific listener on an affected system."
Crime and punishment.
The Washington Post reports that the US Department of Justice has succeeded in extracting information from the damaged iPhones that belonged to the Saudi air force student who killed three US Navy sailors at Pensacola Naval Air Station in December. Attorney General Barr and FBI Director Wray announced Monday that evidence on the phones enabled them to tie the shooter to al-Qaeda operatives. Barr and Wray both criticized Apple during the press conference, according to ABC News, with Barr saying it took five months to gain access to the encrypted information. Apple, however, maintains that the outcome shows that law enforcement doesn't need a backdoor into its products.
The Security Service of Ukraine (SBU) announced Tuesday that it had arrested a hacker known as "Sanix" who entered the spotlight in January 2019 when he began selling access to the Collection #1 email and password dump. The SBU says Sanix also had seven similar databases containing "logins and passwords to e-mail boxes, PIN codes for bank cards, e-wallets of cryptocurrencies, PayPal accounts, information about computers hacked for further use in botnets and for organizing DDoS attacks."
Dutch police have arrested a 21-year-old local man for his alleged involvement in an SMS phishing scam that caused an entrepreneur to lose €1.1 million.
Courts and torts.
A federal judge has preliminarily approved Google's $7.5 million settlement for a proposed class action lawsuit over a data breach that occurred on its shuttered Google+ social network, Law360 reports.
A court in the Netherlands has ruled that a woman must delete photos of her grandchildren from her Facebook profile after the children's mother requested that they be removed, the BBC reports. The judge said the matter fell under the scope of GDPR because "[w]ith Facebook, it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties."
Policies, procurements, and agency equities.
Prime Minister Boris Johnson said this week that the UK would have a national contact-tracing system in place by June 1st, the Telegraph reports, but ComputerWeekly says the government later acknowledged that it's unlikely to meet this deadline. The NHS contact-tracing app is still struggling with a growing number of technical issues and security flaws, according to Gizmodo UK.
A bipartisan group of US senators is requesting that all calls between the House and Senate be encrypted, the Verge reports.
For more policy news, see the CyberWire Pro Policy Briefing.
Fortunes of commerce.
Taiwan Semiconductor Manufacturing (TSMC) confirmed on Friday that it will build a $12 billion chip factory in Arizona "with the mutual understanding and commitment to support from the U.S. federal government and the State of Arizona." Construction will begin next year, with production slated to begin in 2024. The company stated that "[t]his project is of critical, strategic importance to a vibrant and competitive U.S. semiconductor ecosystem that enables leading U.S. companies to fabricate their cutting-edge semiconductor products within the United States and benefit from the proximity of a world-class semiconductor foundry and ecosystem."
Also on Friday, in a move that WIRED believes may have been coordinated, the US Commerce Department's Bureau of Industry and Security (BIS) announced that it was amending its foreign-produced direct product rule to block Huawei from purchasing chips produced by international companies that contain US technology. The BIS states that "Huawei has continued to use U.S. software and technology to design semiconductors, undermining the national security and foreign policy purposes of the Entity List by commissioning their production in overseas foundries using U.S. equipment." The rule change also applies to TSMC, and Nikkei reports that the Taiwanese company has stopped taking new orders from Huawei, which is its second-largest customer after Apple.
Global Times, a Chinese government news outlet, cites a source as saying China is prepared to implement countermeasures to Washington's move, such as "adding US companies to China's 'unreliable entity list,' imposing restrictions on or launching investigations into US companies like Qualcomm, Cisco and Apple according to Chinese laws like Cybersecurity Review Measures and Anti-monopoly Law, and suspending the purchases of Boeing airplanes."
Labor markets.
The Wall Street Journal, citing findings from CompTIA, reports that the IT sector in the US lost 112,000 jobs in April. Job postings for core IT positions also dropped from approximately 360,000 to 270,000 last month.
Mergers and acquisitions.
US-based private equity firm Advent International backed off from its planned $1.9 billion acquisition of San Jose, California-based device visibility and control company Forescout, three days before the acquisition was slated to take place on May 18th. Forescout said in a statement, "Forescout and Advent are engaged in ongoing discussions regarding timing to close and the terms of the transaction. There can be no assurance that Forescout and Advent will be able to reach agreement on terms." Forescout's President and CEO Michael DeCesare said, "We continue to believe that Advent is the right partner for Forescout and we remain committed to completing the transaction in the near-term."
Portland, Oregon-based archiving and compliance software provider Smarsh has acquired Santa Clara, California-headquartered cybersecurity compliance company Entreda for an undisclosed amount.
Massachusetts-based privileged access management company CyberArk has acquired Santa Clara, California-based identity-as-a-service provider Idaptive from Thoma Bravo for $70 million.
Singapore-based SaaS cybersecurity startup Responsible Cyber has acquired digital identity wallet provider Secucial, also based in Singapore, for S$7 million (approximately US$4.9 million).
Investments and exits.
San Francisco-based cyber insurance company Coalition has raised $90 million in a Series C round led by Valor Equity Partners, with participation from Felicis Ventures, Greyhound Capital, and all of Coalition's existing investors.
Israeli cyber range platform provider Cyberbit, a subsidiary of Elbit Systems, received a $70 million investment from Charlesbank Capital Partners, with participation from existing investor Claridge Israel. $22 million went to Cyberbit, while $48 million "was paid in consideration of a portion of Elbit Systems' shares in Cyberbit," and Elbit is now a minority shareholder in Cyberbit.
Tel Aviv-based cloud container security startup Aqua Security has raised $30 million in a Series D round led by Greenspring Associates, with participation from existing investors Insight Partners, Lightspeed Venture Partners, and TLV Partners.
Palo Alto, California-based cyberattack detection and response platform provider Confluera has raised $20 million in a Series B round led by Icon Ventures, with participation from existing investors Lightspeed Venture Partners, John W. Thompson, and Lane Bess.
Source Defense, an Israeli client-side web security company focused on preventing Magecart and formjacking attacks, has raised $10.5 million in a Series A+ round led by Capital One Ventures, with participation from existing investors Jerusalem Venture Partners, AllegisCyber, Global Brain, and NightDragon.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.