Hacktivism accompanies US protests.
Sporadic hacktivism has accompanied widespread protests in the US over the death of George Floyd. Minnesota governor Tim Walz said "all state computers" were hit by a "very sophisticated denial of service attack" on Saturday, according to The Hill. Walz added, "That's not somebody sitting in their basement," although observers including StateScoop were quick to point out that DDoS attacks generally require very little skill; the software kits required to launch one of these attacks can be purchased by a basement dweller for less than $20.
The loose hacktivist collective Anonymous also made headlines this week, for characteristically underwhelming reasons. Anonymous-branded social media accounts claimed to have hacked the Minneapolis Police Department and stolen several hundred email addresses and passwords, which they subsequently published. Troy Hunt of Have I Been Pwned analyzed the data dump and concluded that it "has almost certainly been pulled out of existing data breaches in an attempt to falsely fabricate a new one."
Regardless, Anonymous-branded social media posts related to the protests have been going viral at a significant scale, and Motherboard wonders if this alone could spark a resurgence of amateur hacking under the flag of Anonymous. Reuters notes that Anonymous should be viewed as more of a brand than an actual group, since anyone on the Internet can claim membership by simply changing their social media imagery and posting ominous slogans.
US civil unrest, as seen by China, Iran, and Russia.
Social media analysis firm Graphika outlines the ways in which state-controlled media outlets from China, Iran, and Russia are using the civil unrest in the US to their advantage. China, which has faced widespread condemnation for recently approving a measure to impose a national security law on Hong Kong, has primarily focused on discrediting the US by juxtaposing US support for the Hong Kong protests with its response to demonstrations within the US. Iran has taken a similar approach, more broadly accusing the US of hypocrisy for criticizing Tehran's human rights record. Russian outlets are more focused on drawing attention to existing fissures in American society by "letting the events speak for themselves."
Graphika's researchers stress that, so far, the media coverage from these nations has been openly self-serving, and they haven't seen evidence of covert attempts to directly stoke tensions in the US, as Russia has been known to do in the past. The researchers note that the three countries did tend to amplify each others' coverage, which they attribute to "a current confluence of interests rather than a 'confluence of tactics,' as all three states have a shared interest in undermining U.S. influence as the main power capable of limiting their own geopolitical intentions, and all three have faced severe U.S. criticism for their human-rights records. Under such circumstances, each country’s messaging provided useful validation and supporting commentary for the others."
APTs targeting US presidential campaigns.
Google's Threat Analysis Group said they've observed phishing attacks launched by Chinese and Iranian threat groups against the personal email accounts of US presidential campaign staffers. China's APT31 (Hurricane Panda) targeted Joe Biden's staff, while Iran's APT35 (Charming Kitten) went after the Trump campaign. Google didn't see any signs that the attacks were successful, and told TechCrunch, "We sent the targeted users our standard government-backed attack warning and we referred this information to federal law enforcement."
The Washington Post cites Clint Watts from the Foreign Policy Research Institute as saying that China is probably interested in learning the geopolitical views of Biden and his staffers, while Iran is more likely seeking to undermine President Trump's re-election prospects.
Maze seeks to form a ransomware cartel.
Sky News reports that attackers using the Maze ransomware have stolen sensitive information from Westech International, a US defense contractor that provides engineering and maintenance support for the Minuteman III ICBM. Westech told Sky News that its systems have been encrypted and the company is still trying to determine which data have been stolen. The attackers have already published some of the stolen information, which includes emails, payroll data, and personal information.
Sky News explains that Maze operates under an affiliate model, so attacks are carried out by multiple different groups while the malware's developers sit back and receive a cut of the profit. The developers do act as the mouthpiece of the ransomware via their data leak website, however, and BleepingComputer says they're apparently leading the formation of a "ransomware cartel" by teaming up with other ransomware gangs to share resources. Evidence of this was first spotted by cyber intelligence firm KeLa when Maze published data that had been stolen by LockBit, a separate ransomware-as-a-service operation. The Maze operators confirmed to BleepingComputer that they're collaborating with LockBit, and added that they are in talks with other ransomware gangs to join their enterprise.
"We all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies," the criminals said. "Even more, they use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors."
Fraud-detection scripts raise privacy concerns.
The Register reported last week that eBay's website was found to be running port scans against visitors' computers. Security researcher Charles Belmer explained that the site runs a script that uses WebSockets to scan for a number of ports known to be used by remote administration tools, including VNC, RDP, and Ammy Admin. These are legitimate tools, but they're commonly abused by malware to control compromised systems. Another researcher, Dan Nemec, found that the script apparently belongs to ThreatMetrix, an online fraud detection platform owned by LexisNexis, and its purpose is presumably to flag potentially illegitimate users. While eBay's desire to prevent fraud is understandable, most observers seem to agree that scanning a user's local machine without their knowledge is a violation of privacy.
BleepingComputer says researchers at DomainTools were able to identify several hundred additional sites that appear to be using the ThreatMetrix script. These include websites belonging to Citibank, TD Bank, Ameriprise, Chick-fil-A, Lendup, BeachBody, and Equifax. Some of the sites perform a port scan immediately, while others only port scan users when they attempt to log in or check out.
For more, see the CyberWire Pro Research Briefing.
OPSEC mistakes reveal cybercriminal's identity.
Check Point has apparently tracked down the identity of the UGNazi-associated hacker known as "VandaTheGod," who has hacked and defaced thousands of websites since 2013. VandaTheGod was primarily known for hacktivist activities, but he was also involved in data theft and financially motivated cybercrime.
The individual enjoyed boasting about his exploits on his Twitter account, which led to some serious OPSEC failures. Check Point noticed that when he posted a screenshot of his desktop accessing a hacked email account belonging to a Brazilian actress, he neglected to crop out his browser tabs, one of which showed a Facebook tab with the name "Vanda De Assis." This turned out to be a Facebook profile operated under his hacker persona.
He also posted a different screenshot showing that his username on the computer was a person's name (which Check Point doesn't disclose). The researchers then tracked down a personal Facebook profile under that name and identified several identical photos posted to the hacker's account and to the personal account. Cross-matching the individual's furniture and devices with photos posted on Twitter offered further confirmation of the hacker's identity. Check Point concludes, "Ultimately, we were able to connect the VandaTheGod identity with high certainty to a specific Brazilian individual from the city of Uberlândia, and relay our findings to law enforcement to enable them to take further action."
Patch news.
The Verge reports that iOS 13.5.1, which was rolled out on Monday, fixes a kernel vulnerability exploited by the Unc0ver jailbreak. Apple didn't go into much detail, simply describing the vulnerability (which it tracks as CVE-2020-9859) as a "memory consumption issue" that could allow an application to "execute arbitrary code with kernel privileges." Decipher explains that the flaw is a newer version of a kernel vulnerability that was patched in 2018 with iOS 12. That vulnerability was first discovered by researchers at Synacktiv, who said in a blog post last week that the exact same bug was reintroduced in iOS 13.
VMware has patched a serious code injection vulnerability (CVE-2020-3956) in Cloud Director that could have allowed an attacker with access to the platform's web interface or API to gain complete control over other customers' cloud infrastructure. The flaw was discovered by pentesters at Citadelo, who responsibly disclosed it to VMware.
Zoom fixed two path-traversal vulnerabilities discovered by Cisco Talos that could have led to remote code execution.
Crime and punishment.
POLITICO reports that the European Union is preparing to sanction a group of Russian government hackers for their alleged involvement in the 2015 cyberattack against Germany's Bundestag. German prosecutors last month issued an international arrest warrant for one of the suspected hackers, Dmitry Badin, who they believe is a member of the GRU's APT28 (Fancy Bear). Russia's Foreign Ministry says the accusations are "nonsense," according to the Washington Post.
A 24-year-old Australian hacker has been fined AU$5,000 after pleading guilty to stealing employee information from Apple's servers and posting it on Twitter, according to MacRumors. He's also been given eighteen months of probation under pain of an additional $5,000 fine.
A 64-year-old man has pleaded guilty in Texas to participating in a business email compromise scheme that saw two companies scammed out of more than $500,000, CyberScoop reports.
The UK's National Crime Agency (NCA) is using Google Ads to deter budding cybercriminals from seeking out services used to launch online attacks, Brian Krebs reports. Krebs found that searching Google for the term "booter" (a DDoS-for-hire tool) from a UK IP address will often present the user with an ad warning that "Booting is illegal." NCA Senior Manager David Cox told Krebs the ads are targeted at males between the ages of thirteen and twenty-two, and are meant to make these people aware that cybercrime isn't a low-risk activity, as well as steering them toward more constructive outlets for computer skills. An NCA report from 2017 concluded that "[f]or deterrence to work, there must be a closing of the gap between offender (or potential offender) with law enforcement agencies functioning as a visible presence for these individuals."
Courts and torts.
Google is facing a $5 billion class-action lawsuit for allegedly collecting browsing information while users were in Incognito mode, Reuters reports. The lawsuit states that Google "cannot continue to engage in the covert and unauthorized data collection from virtually every American with a computer or phone." A Google spokesman stated, "As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity."
Policies, procurements, and agency equities.
The US Cyberspace Solarium Commission issued a white paper on lessons learned about cybersecurity from the COVID-19 pandemic. The Commission drew similarities between a pandemic and a major cyberattack: both require domestic management as well as international cooperation, both are likely to place stress on existing incident response plans, and both benefit from agile and resilient systems that facilitate coordination between the public and private sectors. The Commission concludes that, "perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response."
FCW reports that the US Department of Energy intends to use the recently issued Executive Order on Securing the United States Bulk Power System to "tear out foreign-made parts and components" believed to represent a threat to the security of the nation's power distribution system. E&E News says the Executive Order and the measures now under consideration for implementing it "blindsided" the electrical power industry.
US Space Force is seeking approximately 130 officers and 1,000 enlisted members to serve in cyber-related roles, according to Air Force Magazine. The publication says "USSF cyber operators would still continue to handle typical space-focused missions like protecting communications transmissions, assuring the ability to control satellites, working in U.S. Cyber Command-affiliated mission defense teams, partnering with the National Reconnaissance Office, and more. But the service is also offering them a chance to work more closely with space operators, like those who manage satellites, and to do more with less by using emerging technology such as artificial intelligence."
For more, see the CyberWire Pro Policy Briefing.
Fortunes of commerce.
Two out of three of Canada's major telecommunications companies, Bell and Telus, announced Tuesday that they wouldn't be using Huawei's equipment in their 5G networks, Reuters reports. The companies will use gear from Ericsson and Nokia instead. Canada's third major telco, Rogers Wireless, has already stated that it will use Ericsson's equipment. CBC News notes that Telus had planned on using Huawei's kit as recently as February, and Bell has frequently voiced its support for Huawei in the past. The Canadian government still hasn't decided whether or not it will permit Huawei to contribute to Canada's 5G infrastructure, but ZDNet says the three telcos' decisions have effectively shut Huawei out regardless.
Bloomberg reports that the British government is in discussions with Japan's NEC and South Korea's Samsung about possibly enlisting them as alternatives to Huawei for the UK's 5G networks. The Times says Downing Street is also asking the US and other allies to form a coalition of ten democratic nations that would create alternatives to Chinese suppliers of 5G technology. This "D10" alliance would consist of the G7 countries, plus Australia, India, and South Korea.
Mergers and acquisitions.
TechCrunch reports that VMware will acquire Redwood City, California-based malware protection firm Lastline for an undisclosed amount. TechCrunch says VMware intends to lay off around 40% of Lastline's staff (about fifty people), although Lastline and VMware declined to comment on this claim.
Thoma Bravo has announced it will acquire Virginia-headquartered secure cloud-based collaboration company Exostar. Terms of the transaction weren't disclosed, but the Wall Street Journal says the deal is valued at around $100 million.
San Jose, California-based cloud security firm Zscaler has acquired Massachusetts-based zero-trust security company Edgewise Networks for an undisclosed amount.
Washington, DC-headquartered privileged access management company Thycotic has acquired Hayward, California-based access control provider Onion ID.
Seattle-based network security vendor WatchGuard Technologies has acquired Spanish antivirus company Panda Security.
Investments and exits.
Maryland-based phishing prevention company INKY has raised $20 million in a Series B round led by Insight Partners.
San Francisco-based digital risk management firm RiskIQ has raised $15 million in a Series D round led by National Grid Partners, the venture capital arm of London-based multinational energy company National Grid.
Connecticut-based data discovery and privacy company 1touch.io has raised $14 million in a Series A round led by National Grid Partners and Jerusalem Venture Partners, with participation from Connecticut Innovations, Mindset Ventures, and Ocean Azul Partners.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.