Ripple20 vulnerabilities in IoT supply chains.
Researchers at Israeli cybersecurity firm JSOF have discovered nineteen vulnerabilities in a low-level TCP/IP software library used by "hundreds of millions" of IoT devices. The code was developed by the Ohio-based company Treck and has been integrated into the IoT supply chain since its release in the late '90s. The set of flaws, dubbed "Ripple20," includes four remote code execution vulnerabilities, two of which received CVSS scores of 10. Treck has developed patches for the flaws and urges its customers to contact them for more information, noting that the level of exposure to the vulnerabilities varies greatly from product to product.
The real challenge, however, is the fact that many IoT vendors likely don't know if their products contain the vulnerable code. JSOF collaborated with CERT/CC and the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to track down "as many affected vendors as possible before the vulnerabilities became public," but there are many others whose status is still unknown. The researchers state, "Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries."
CISA and CERT/CC lay out mitigations to minimize the risk of exploitation, and JSOF is offering a script that can help in some cases to determine whether a device is vulnerable. But despite these efforts, ZDNet concludes that the vulnerabilities "will haunt the IoT landscape for years to come."
Australia warns of state-backed cyberattacks.
Australia's Prime Minister Scott Morrison stated Friday that Australia is being targeted by a sophisticated, state-sponsored cyber actor "across a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure." Morrison noted that these attacks aren't new, but they're growing increasingly frequent. He declined to publicly attribute the activity to any specific nation-state, but noted that "there are not a large number of state-based actors that can engage in this type of activity and it is clear, based on the advice that we have received, that this has been done by a state-based actor with very, very significant capabilities." The ABC and others assume the Prime Minister is referring to China.
The ASD's Australian Cyber Security Centre (ACSC) published an advisory on Thursday outlining the threat actor's tactics, techniques and procedures, and observers including the Guardian noted that, while the attacker may be sophisticated, the techniques themselves aren't particularly novel or advanced. The actor prefers to use open-source exploits against public-facing infrastructure. If that approach fails, the attackers turn to spearphishing. The ACSC's two key recommendations for organizations are obvious but important: patch internet-facing infrastructure promptly, and use multi-factor authentication for all remote access services.
It's not clear why Morrison decided to issue this statement now. ZDNet cites Tom Uren from the Australian Strategic Policy Institute's International Cyber Policy Centre, who tweeted that Morrison's intention was probably "Internal and external signalling. For domestic audiences: cue the sound of a thousand CISO's knocking to ask for more resources as 'the PM just said this is important.' For the Chinese: we are getting tired of this and it's escalated to the highest levels. Final warning or we'll be much more public." Still, Uren added, "The frog has been boiling for years, so what made us jump?"
New insights into Secondary Infektion.
Graphika has published an extensive study of the Russian disinformation operation known as "Secondary Infektion," first described by the Atlantic Council last year. The report concludes that Secondary Infektion has been in continuous operation since 2014 and that it's run by a single unidentified controlling agency. Graphika says the operation displays impressive operational security, often using burner accounts that posted only one article each. This commitment to OPSEC helped them avoid detection by social media platforms, but it also drastically limited the reach of the operation. The researchers note that, despite the scale of the campaign, "[a]lmost none of the operation’s posts across six years of activity achieved any measurable engagement, in terms of shares, likes and positive reactions across platforms."
This "lasting mismatch between effort expended and apparent impact gained" is so stark that the researchers wonder if perhaps the operators "were driven by production quotas rather than engagement targets - or that they were using some other form of metrics not visible to outside observers." It's also worth noting that the fake articles and documents used in the campaign were often poorly crafted and unconvincing.
For more, see the CyberWire Pro Disinformation Briefing.
Android spyware targets Uyghurs.
Trend Micro has discovered a previously undocumented Android spyware strain that's targeting Tibet, Turkey, and Taiwan, with a particular focus on Uyghur Muslims. The researchers have dubbed the malware "ActionSpy," and they've tied it to the China-associated Earth Empusa APT (also known as POISON CARP or Evil Eye).
The group is using watering hole tactics and phishing attacks to lure victims to spoofed websites that will install the malware. The researchers note that these tactics are similar to those used in Operation Poisoned News, another recent campaign that targeted iOS users in Hong Kong.
The ActionSpy malware is related to a series of watering hole attacks discovered by Google last year that used five iOS exploit chains to compromise visitors' phones. TechCrunch reported at the time that those attacks were also directed at Uyghurs, and were most likely conducted by Chinese state security services.
For more, see the CyberWire Pro Research Briefing.
Patch news.
Adobe released nineteen patches on Tuesday, Naked Security reports. The products affected are Audition, Premiere Rush and Pro, Illustrator 2020, After Effects, and Campaign Classic. All but one of the bugs are rated "critical" and can enable arbitrary code execution.
Drupal has received patches for three vulnerabilities in its core, including one that could lead to remote code execution, Help Net Security reports.
Crime and punishment.
Researchers at Check Point have determined that Italian security firm CloudEyE is actually a front company that's been selling a binary crypter to malware operators. CloudEyE's service allows unskilled threat actors to upload encrypted malware payloads to cloud drives without being detected. If CloudEyE's website is to be believed, the company makes more than $500,000 per month through this scheme.
The US Attorney for the District of Massachusetts has charged six former eBay employees with "conspiracy to commit cyberstalking and conspiracy to tamper with witnesses" in a nasty case of harassment. The employees allegedly targeted a Natick, Massachusetts, couple who ran an e-commerce newsletter that sometimes posted critical reviews of eBay. The Attorney's office says the "alleged harassment included sending the couple anonymous, threatening messages, disturbing deliveries – including a box of live cockroaches, a funeral wreath and a bloody pig mask – and conducting covert surveillance of the victims." The defendants, all of whom eBay fired last September after an internal investigation prompted by a police notification, included the company's Senior Director of Safety & Security, the Director of Global Resiliency, the Senior Manager of Global Intelligence, the manager of eBay’s Global Intelligence Center (GIC), a contractor who worked as an intelligence analyst in the GIC, and a Senior Manager of Special Operations for eBay’s Global Security Team.
Courts and torts.
Facebook has filed two separate lawsuits against individuals who allegedly abused the company's platforms, Reuters reports. The first was filed against a Spain-based service that provided software for generating fake likes and comments on Instagram. The second involves a California man who allegedly operated a service that scraped Facebook users' data without their permission. Facebook stated, "This is one of the first times a social media company is using coordinated, multi-jurisdictional litigation to enforce its Terms and protect its users....These lawsuits also allege the defendants violated the laws of Spain and the US, including Spain’s protections for databases and online platforms and the Computer Fraud and Abuse Act in the US. We are seeking injunctions to reinforce our permanent ban against their use of our platform."
Policies, procurements, and agency equities.
The October 2017 report by the CIA’s WikiLeaks Task Force (formed to investigate how the leak site came to obtain the material it published as Vault 7) has been partially declassified. According to the Washington Post, the heavily redacted report found that the CIA was focused on developing offensive cyber tools, but that it neglected basic security measures and sound practice. The report states, "CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other US Government agencies." It adds later, "We have been slow—due to resource choices and cultural resistance—to extend state-of-the-art audit and user activity monitoring technology to mission systems not connected to the main enterprise network." The report also concludes that WikiLeaks should be assumed to have everything the affected CIA unit kept in its Stash source code repository as well as its Confluence collaboration and communications platform.
The US Justice Department on Wednesday issued its review of Section 230 of the Communications Decency Act, concluding that "the time is ripe to realign the scope of Section 230 with the realities of the modern internet." Section 230 has generally served to shield online platforms from various forms of civil and criminal liability. The Justice Department recommends that, rather than repealing the statute outright or leaving it untouched, certain "carve-outs" can be made to remove protections from "truly bad actors" (platforms that intentionally facilitate criminal activity), "claims that address particularly egregious content" (including child abuse, terrorism, and cyber-stalking), and cases in which "a platform had actual knowledge or notice that the third party content at issue violated federal criminal law or where the platform was provided with a court judgement that content is unlawful in any respect."
The US Supreme Court will take up United States v. Van Buren, a case involving the Computer Fraud and Abuse Act (CFAA), JDSupra reports. The Court will consider whether using a computer one is authorized to access, but using that access for unauthorized or improper purposes, constitutes a violation of the CFAA. Van Buren, while working as a police officer with permission to access license plate databases, was paid by an FBI informant to run a license plate search, ostensibly for the informant's personal purposes. He was charged under the CFAA, but he claimed that since he was authorized to access the information, what he'd done didn't constitute a violation.
Microsoft and Google are standing by their earlier statements to the European Union that the EU's proposed Terrorist Content Regulation would be "unworkable," the Telegraph reports. The regulation would require online platforms to remove terrorist content within one hour of its identification as such. Microsoft and Google argue that the one-hour deadline is too short, and they warn that the regulation will drive companies toward greater surveillance and more censorship of online content.
For more, see the CyberWire Pro Policy Briefing.
Fortunes of commerce.
Zoom has reversed its position on end-to-end encryption (E2EE) and will now provide the upcoming service as an optional feature to both free and paid customers, the Verge reports. The company had originally planned on reserving E2EE for paid accounts, since these users had provided more information and were therefore easier for law enforcement to track. Free users, by contrast, only needed to provide an email address and were far more difficult to identify if they used the platform for unlawful purposes. Following criticism from privacy advocates, Zoom says it's found a middle ground: free users who want to activate E2EE will be required to "participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message."
Labor markets.
On June 17th we were able to attend a virtual panel discussion on the state and prospects of the national security workforce. The panel was actually more focused than advertised: while it addressed workforce issues relevant to national security in general, it’s particular focus was on the cybersecurity workforce. The discussion, hosted by the US National Defense University’s College of Information and Cyberspace, addressed familiar challenges of attracting students to prepare for careers in science, technology, engineering, and mathematics (STEM)—and attracting them to careers in cybersecurity is a special case of that larger challenge.
But for the most part the symposiasts reviewed familiar obstacles to bringing cyber talent into the Government. “We need to reinforce policies and systems that support a strong national security workforce.” What are some of the familiar stumbling blocks? They’ll come as no surprise: the inability to compete with private sector compensation packages, the rigidity of the civil service system, the difficulty of enabling government personnel to spend time in industry or universities (and vice versa), the unrealized potential of offering university scholarships in exchange for a commitment to public service, etc.
None of these would have been out-of-place in a symposium held thirty years or more ago: clearly there’s been no Sputnik moment since Sputnik, and even that moment may be rosier in historical memory than it ever was in historical effect. The College of Information and Cyberspace deserves well of the Republic for raising these issues again; may they reach their audience.
The Wall Street Journal also has an account of the event.
Mergers and acquisitions.
Texas-based application security and software delivery company Digital.ai has acquired Numerify, a San Jose, a California-based IT business analytics provider, and Experitest, an Israeli web and mobile application testing company. Both acquisitions were backed by TPG Capital, and the financial terms weren't disclosed.
IBM is acquiring Santa Clara, California-based security management and compliance startup Spanugo for an undisclosed amount, CRN reports.
Virginia-based data analytics company Novetta has acquired Maryland-based software engineering firm WaveStrike for an undisclosed sum.
Investments and exits.
Boston-based security analytics firm Uptycs has raised $30 million in a Series B funding round led by Sapphire Ventures, with participation from existing investors Comcast Ventures and ForgePoint Capital.
Palo Alto, California-based API security company Salt Security has raised $20 million in a Series A round led by Tenaya Capital.
Los Angeles-headquartered cloud-native data security startup Open Raven has raised $15 million in a Series A funding round led by Kleiner Perkins, with participation from existing investors including Upfront Ventures.
New York and Australia-based web traffic security startup Kasada has raised $10 million in a Series B round led by Ten Eleven Ventures, with participation from existing investors Main Sequence Ventures and Reinventure (Westpac's venture capital arm).
UK-based mid-market private equity firm Livingbridge has invested an undisclosed amount in Irish cloud security vendor TitanHQ.
Wipro Ventures, the speculation arm of Indian IT giant Wipro, has invested an undisclosed sum into Sunnyvale, California-based cloud infrastructure security provider CloudKnox Security, the Economic Times reports.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.