Facebook paid for Tails exploit to bust a child predator.
Motherboard reports that Facebook paid a third-party cybersecurity firm six figures to develop a zero-day exploit in Tails, a Tor-using Linux distro, in order to help the FBI track down a child predator. The predator, Buster Hernandez, was charged in 2017 and pleaded guilty to forty-one Federal charges earlier this year, including eight counts of production of child pornography, three counts of coercion and enticement of a minor, ten counts of threats to kill, kidnap, and injure, four counts of threats to use an explosive device, and two counts of retaliation against a witness or victim.
Facebook had been tracking Hernandez for years, and some employees called him "him the worst criminal to ever use the platform." The FBI was also hunting him, but were unable to deanonymize him since their hacking tools weren't designed for use against Tails. Facebook's security team—at the time led by Alex Stamos—retained a cybersecurity consulting firm to create an exploit for a zero-day flaw in the Tails video player that would expose the IP address of a user watching a video. Facebook then gave the exploit to the FBI through an intermediary, and the FBI succeeded in identifying Hernandez.
The decision was apparently extremely controversial within Facebook, but the company went ahead with it in light of the depravity of Mr. Hernandez's crimes. Facebook didn't report the flaw to Tails even after Hernandez had been identified because the Tails developers inadvertently removed the vulnerable code soon afterward, rendering a disclosure unnecessary. A Facebook spokesperson told Motherboard, "The only acceptable outcome to us was Buster Hernandez facing accountability for his abuse of young girls. This was a unique case, because he was using such sophisticated methods to hide his identity, that we took the extraordinary steps of working with security experts to help the FBI bring him to justice."
For more, see the CyberWire Pro Privacy Briefing.
Tracking a hack-for-hire operation.
Researchers at the University of Toronto's Citizen Lab published a report on a hack-for-hire outfit based in India. The operation, which the researchers track as "Dark Basin," was tied to a Delhi-headquartered technology company called "BellTroX InfoTech Services." The organization has allegedly carried out commercial espionage against targets involved in legal battles, high-profile financial transactions, news stories, journalism, advocacy, and criminal cases. The hackers primarily rely on phishing and social engineering to compromise their targets.
Much of Citizen Lab's report centers around the targeting of people involved in an environmentalist campaign focused on ExxonMobil, although the researchers are careful to stress that they have no evidence pointing to who actually hired the BellTroX hackers. The company was also behind a spearphishing campaign that targeted net neutrality advocates in the summer of 2017.
The hacking firm is apparently headed and owned by one Sumit Gupta, who was charged in 2015 by the US Attorney for the Northern District of California for "crimes related to a conspiracy to access the e-mail accounts, Skype accounts, and computers of people opposing" his co-conspirators in civil lawsuits. The Justice Department said at the time that the FBI's office in New Delhi was seeking to secure Mr. Gupta's prosecution, but it's not clear if he was ever arrested.
Gamaredon Group is noisy but effective.
ESET says the Gamaredon threat group is using previously undocumented tools in its hacking campaigns, including a VBA macro for Outlook that's designed to send spearphishing emails to the contact lists of compromised accounts. Gamaredon primarily targets Ukrainian organizations, and ESET notes that the group "seems to make no effort in trying to stay under the radar. Even though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it seems that this group’s main focus is to spread as far and fast as possible in their target’s network while trying to exfiltrate data."
Ransomware attacks against Honda and Enel Group.
Honda's manufacturing plants in countries around the world were taken offline after the company sustained a ransomware attack beginning on Sunday, the BBC reports. The attack seems to have involved the Ekans ransomware (also known as "Snake"), according to Malwarebytes. Honda has been tight-lipped about the incident, but a spokesman told Popular Mechanics that "there is no current evidence of loss of personally identifiable information. We have resumed production in most plants and are currently working toward the return to production of our auto and engine plants in Ohio."
BleepingComputer reports that European power company Enel Group was also hit by Ekans on Sunday, but the attack was apparently contained by the company's antivirus software. Enel Group told BleepingComputer, "As a precaution, the Company temporarily isolated its corporate network in order to carry out all interventions aimed at eliminating any residual risk. The connections were restored safely on Monday early morning.Enel informs that no critical issues have occurred concerning the remote control systems of its distribution assets and power plants, and that customer data have not been exposed to third parties. Temporary disruptions to customer care activities could have occurred for a limited time caused by the temporary blockage of the internal IT network."
Malwarebytes and BleepingComputer note that a security researcher discovered that both Honda and Enel Group had RDP connections exposed to the Internet, but it's not clear if this is how the attackers gained entry.
eCh0raix and Zorab ransomware campaigns.
BleepingComputer reports that the eCh0raix ransomware operators have launched a new campaign targeting QNAP network-attached storage devices. The attackers are exploiting vulnerabilities on unpatched QNAP instances or brute-forcing credentials. BleepingComputer notes that QNAP released patches on Friday for three vulnerabilities that could lead to remote code execution, so users are advised to update promptly.
BleepingComputer also warns that a gang behind another ransomware strain, known as "Zorab," is distributing its own malware via a fake decryptor for the STOP Djvu ransomware. STOP Djvu has been among 2020's most successful ransomware strains in terms of number of victims, but it's far less reported than other strains because it usually infects home users who are trying to install pirated software. There are legitimate decryptors for older versions of STOP Djvu, and the Zorab operators are taking advantage of this by packaging their ransomware into a fake decryptor. STOP Djvu victims who try to unlock their files with this decryptor will have their data encrypted a second time.
For more, see the CyberWire Pro Research Briefing.
Disinformation operations in China, Russia, and Turkey.
Twitter has uncovered three large-scale, state-run disinformation campaigns on its platform, all three of which were directed at domestic audiences. The largest operation was run by the People's Republic of China (PRC) and involved a network of 23,750 core accounts pushing narratives favorable to the Chinese Communist Party, as well as disinformation related to Hong Kong politics. In addition, this network included around 150,000 amplifier accounts that boosted the content posted by the core accounts. Despite the size of this network, Twitter says the accounts failed to achieve widespread engagement before they were taken down.
Another network was tied to Russia, and involved 1,152 accounts that tweeted in support of the United Russia party and attacked political dissidents. These accounts were linked to the state-backed media site Current Policy.
A third network was attributed to Turkey, and consisted of 7,340 fake and compromised accounts that tweeted in support of President Erdogan and the AK Parti. These messaging pushed by these accounts was "primarily targeted at domestic audiences within Turkey."
Intel issued a patch for a vulnerability in "some client and Intel® Xeon® E3 processors" that could "allow data values from special registers to be inferred by malicious code executing on any core of the CPU." This could potentially allow an attacker to derive a session encryption key.
Intel also patched two critical privilege-escalation flaws (CVE-2020-0594 and CVE-2020-0595) in the company's Active Management Technology, both of which are rated as 9.8 on the CVSS scale, Threatpost reports.
The uBlock Origin adblocker extension can now block most sites that are known to launch port scans against visitors' computers, BleepingComputer reports.
Crime and punishment.
Washington state officials believe they've recovered around half ($333 million) of the unemployment benefits stolen by fraudsters during the coronavirus crisis, according to the Associated Press. The total amount stolen is thought to be between $550 million and $650 million, and the state thinks it can recover "a significant amount" more. A West African cybercrime gang is suspected to have used stolen identities to conduct the benefits fraud across nearly a dozen US states.
Garrison Courtney, a former chief spokesman for the US Drug Enforcement Administration admitted that he posed as an undercover CIA operative in order to scam private companies out of $4.4 million, the Washington Post reports. Courtney also duped various government officials into believing the ruse in order to boost his credibility when he met with the victim companies.
The owners of vDOS, a shuttered DDoS-for-hire service, have been sentenced by an Israeli court to six months of community service, accompanied by fines and probation, KrebsOnSecurity reports.
Courts and torts.
Capital One has asked a Virginia Federal court to overturn a judge's ruling that the company must disclose a third-party incident response report on its major 2019 data breach, Law360 reports. CyberScoop explains that the judge had concluded the incident response report was not protected under legal doctrine because it was the result of a business agreement. Capital One contends that the order has "unworkable practical implications" for banks that experience cyber incidents.
Amazon has sued Brian Hall, its former Amazon Web Services Vice President of Product Marketing, after Hall took a role at Google Cloud, GeekWire reports. Amazon claims that Hall's new role violates his non-compete contract, since he "was entrusted with an unusually broad view into Amazon’s cloud product plans; its priorities; and its competitive strategy." Hall's lawyers argue that his job at Google "will not require him to use or disclose any Amazon confidential information."
Policies, procurements, and agency equities.
Chinese state news outlet The Global Times reports that the new national security law for Hong Kong is only about a month away. The measure is widely regarded as marking the end of the one-nation, two-systems arrangement that's prevailed since the UK handed Hong Kong over to Chinese rule in 1997.
Nadav Argaman, the head of Israel's Shin Bet security service, stated his opposition to a measure that would extend the use of his agency's phone-tracking technology for coronavirus cases, according to the Associated Press. Argaman's statement caused the Israeli government to halt its proposal to continue the practice into the summer.
Online voting has been used in some US states’ primaries, and may see some limited use in November’s general elections. The New York Times discusses the risks this may pose for direct manipulation of votes. Delaware, West Virginia, and New Jersey plan to use Democracy Live’s OmniBallot platform, but researchers at MIT and the University of Michigan report that OmniBallot "represents a severe risk to election security and could allow attackers to alter election results without detection."
Reuters reports that members of US Congress are seeking information on a 2015 backdoor incident at Juniper Networks. Senator Wyden (of the Intelligence Committee) was joined by his Utah Republican colleague Mike Lee (of the Judiciary Committee) in a letter sent this Tuesday to Juniper Networks CEO Rami Rahim. They’re interested in what Juniper learned after it found what the networking shop called “unauthorized code” in its NetScreen security software in 2015. It was reported at the time that what they found was an NSA-designed backdoor. The FBI investigated, but the results of their inquiry haven’t been made public.
For more, see the CyberWire Pro Policy Briefing.
Fortunes of commerce.
Zoom is facing criticism after Axios reported that the company shut down an account belonging to a US-based Chinese activist group after they held a Zoom event commemorating the Tiananmen Square Massacre. Zoom has since reactivated the account, telling Axios, "Just like any global company, we must comply with applicable laws in the jurisdictions where we operate. When a meeting is held across different countries, the participants within those countries are required to comply with their respective local laws." Many critics remain unsatisfied with this explanation, however; Security Boulevard has a summary of their viewpoints.
Reuters reports that Palantir plans to file with US regulators for an IPO or a direct listing in the coming weeks, and could go public as soon as September.
Facebook last week began its long-anticipated labeling of accounts run by state-controlled media. The labels appear in the "Ad Library Page view, on Pages, and in the Page Transparency section." Facebook is looking specifically for outlets that are "wholly or partially under the editorial control of their government." The Verge explains Facebook’s new policy as one of "including information about their ownership and funding, the level of transparency around their sources, and the existence of accountability systems like a corrections policy." Thus simply being government funded doesn’t make you state-controlled. The BBC presumably would get a pass for editorial independence, while Sputnik, RT, and China Daily would be labeled as state-controlled. For more on this story, see the CyberWire Pro Disinformation Briefing.
IBM is no longer offering general-purpose facial recognition software, and the company will cease research and development of facial recognition technology, the Verge reports. In a letter to Congress, IBM's CEO Arvind Krishna said, "IBM firmly opposes and will not condone uses of any technology, including facial recognition technology offered by other vendors, for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency. We believe now is the time to begin a national dialogue on whether and how facial recognition technology should be employed by domestic law enforcement agencies."
A bipartisan group in US Congress on Wednesday proposed providing $22.8 billion in aid for domestic semiconductor production, in order to further distance the US from China's technology industry, Reuters reports.
Mergers and acquisitions.
McLean, Virginia-based government services company E3/Sentinel has acquired Reston, Virginia-based Lucid Perspectives, which provides software development and systems engineering services to US intelligence agencies.
Snohomish, Washington-headquartered cybersecurity management company Cyemptive Technologies has acquired Burlington, Washington-based security compliance firm Interpreting Technology.
San Francisco-headquartered DevOps application provider GitLab has acquired two DevSecOps startups: Seattle-based Peach Tech and Tel Aviv-based Fuzzit.
Investments and exits.
Las Vegas-headquartered fraud prevention firm NS8 has raised a $123 million Series A round led by Lightspeed Venture Partners and AXA Venture Partners.
New York-based automated cloud governance startup Concourse Labs emerged from stealth with a $15.2 million Series A round led by ForgePoint Capital, with participation from existing investors 83North and Capri Ventures.
Irish vulnerability management company Edgescan has received a €10.5 million (US$11.9 million) investment from UK-based capital investment firm BGF, RTE reports.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.