Natanz blast looks like traditional sabotage.
An explosion and fire at Iran's Natanz uranium processing center on July 2nd was initially reported, by Iranian sources and others, to have been caused or facilitated by a cyberattack, but the incident looks increasingly more like an instance of traditional sabotage. The Washington Post cites an anonymous "Middle Eastern security official" as saying the damage was caused by a bomb placed in the facility, and that the operation was an Israeli effort to "send a message" that would deter Iran from accelerating its pursuit of nuclear weapons. Israeli Foreign Minister Ashkenazi and Defense Minister Gantz issued soft denials of Israel's involvement, according to the Jerusalem Post, with Gantz stating, "Not every incident that transpires in Iran necessarily has something to do with us."
The Jerusalem Post says the blast appears to have destroyed nearly three-quarters of the facility's centrifuge assembly hall. Simon Henderson from the Washington Institute for Near East Policy, writing in The Hill, explained that the site is no longer suitable for the assembly of the IR-2m centrifuges necessary to enrich uranium that can be used in nuclear weapons. Henderson added that "from Israel’s point of view, the likelihood of Iran obtaining enough highly-enriched uranium for its first nuclear weapon has been delayed by months, perhaps even years."
Law enforcement infiltrates EncroChat.
Motherboard describes a large-scale law enforcement operation that led to the arrests of 746 individuals in the UK, more than 100 in the Netherlands, and others in Norway, Sweden, and Spain. The arrests came after French authorities infiltrated EncroChat, an encrypted phone network primarily used by organized crime. French law enforcement shared their access with other European agencies through Europol, giving police across the continent a transparent view into organized criminal operations. The authorities intercepted "more than a hundred million encrypted messages" over the course of several months as criminals talked candidly about murder plots, money laundering, drug trafficking, and gunrunning.
In the Netherlands, police uncovered nineteen synthetic drug labs, 1,200 kilograms of meth, ten metric tons of cocaine, and a torture chamber (which hadn't yet been used). The UK's National Crime Agency (NCA) has seized £54 million (so far) and thwarted more than 200 "threats to life." The Met Police called its own contribution "the most significant operation the Metropolitan Police Service (MPS) has ever launched against serious and organised crime." France hasn't shared details about its own ongoing investigations, but Europol says the National Gendarmerie "has been monitoring the communications of thousands of criminals, leading to the opening of a wide range of incidental proceedings."
EncroChat itself was a secretive company that shut down last month when it realized its platform had been compromised by a persistent state actor. The company sold modified, privacy-centric Android phones for approximately $1,130 each, and charged $1,695 for a six-month subscription. The NCA says the company had 60,000 customers worldwide, 10,000 of which were in the UK. In May, EncroChat discovered sophisticated, custom-made spyware on its devices. Motherboard says the company pushed out a patch to mitigate against this attack, but a more powerful version of the malware reappeared "almost immediately after the patch." On June 13th, EncroChat warned its customers to dump their phones.
Cosmic Lynx tied to hundreds of BEC attacks.
A sophisticated Russian cybercriminal group dubbed “Cosmic Lynx” is launching business email compromise (BEC) attacks against major companies around the world, according to researchers at Agari. The group has launched more than 200 BEC attacks since July of 2019, active against organizations in forty-six countries on six continents. Notably, Agari says "Cosmic Lynx has a clear target profile: large, multinational organizations. Nearly all of the organizations Cosmic Lynx has targeted have a significant global presence and many of them are Fortune 500 or Global 2000 companies."
The threat actor singles out senior executives based on their titles. Agari found that 75% of the targeted employees have the titles of Vice President, General Manager, or Managing Director, while 21% held the titles of CEO, CFO, or President. After settling on a target, they use the (bogus) intention of acquiring an Asian company as the pretext of their request. They impersonate the victim company’s CEO in an email, asking them to work with “external legal counsel” to arrange the payments necessary to closing the acquisition. They then impersonate a real attorney who works with a British law firm to trick the targeted employee into making a transaction. The average amount Cosmic Lynx requests is $12.7 million.
For more, see the CyberWire Pro Research Briefing.
UCSF sustains NetWalker ransomware attack.
The University of California, San Francisco (UCSF) paid a $1.14 million ransom after sustaining a ransomware attack against the UCSF School of Medicine’s IT systems, Bloomberg reports. The school said the attack didn't interfere with patient care or COVID-19-related research, but added that "[t]he data that was encrypted is important to some of the academic work we pursue as a university serving the public good." The BBC says the attack involved the NetWalker ransomware, which Threatpost notes is now operating under a ransomware-as-a-service affiliate model. The BBC also reports that the attackers threatened to release stolen student data if the ransom wasn't paid.
More pre-installed malware on Lifeline Assistance devices.
Researchers at Malwarebytes have found pre-installed malware on phones sold by Assurance Wireless under the US Federal Communications Commission’s Lifeline program, which makes budget phones available to low-income consumers. The affected devices are ANS (American Network Solutions) UL40 phones running Android OS 7.1.1. This marks the second time this year Malwarebytes has discovered malware pre-installed on discount Lifeline devices. As in the previous case, which affected UMX U683CL phones, the ANS UL40 has compromised Settings and Wireless Update apps. In this case, the built-in Wireless Update app will install four different variants of the HiddenAds Trojan.
Patch news.
F5 Networks has patched a flaw (CVE-2020-5902) in its BIG-IP application delivery controllers that can lead to remote code execution. The vulnerability, which was discovered by Positive Technologies, received a CVSS criticality score of 10 out of 10. Threatpost says public exploits for the vulnerability have already been published, and Positive Technologies warned on July 2nd that more than 8,000 vulnerable devices were exposed to the Internet. F5 Networks warns, "If your BIG-IP system has [Traffic Management User Interface] exposed to the Internet and it does not have a patched version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures."
Palo Alto Networks has disclosed and patched a very serious vulnerability in PAN-OS, the operating system that runs on its firewalls and enterprise VPN appliances. The vulnerability (CVE-2020-2021) received a CVSS score of 10. Palo Alto explains, "When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources." US Cyber Command stresses the severity of the vulnerability and urges users to patch affected devices "immediately, especially if SAML is in use."
Citrix released patches for eleven vulnerabilities, four of which can be exploited by an unauthenticated remote user under certain circumstances. Citrix's CISO Fermin Serna said in a blog post that the company isn't aware of any exploits for these flaws, but he urges customers to patch promptly.
Microsoft issued out-of-band patches for two vulnerabilities in Windows 10 and Windows Server 2019, ZDNet reports. The flaws could potentially be used to achieve remote code execution.
Adobe has ended support for its widely used e-commerce platform, Magento 1. Users of Magento 1 are strongly encouraged to upgrade to Magento 2, which was released in 2015. According to Threatpost, more than 100,000 online stores are still using Magento 1. Adobe stated, "If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site's security and PCI DSS compliance. Beyond the EOS date, Adobe will not be responding to any further security issues for Magento 1."
Crime and punishment.
German authorities have seized the "primary public download server" used by the leak site DDoSecrets, Motherboard reports. DDoSecrets assumes the seizure was related to the organization's recent publication of 270 GB of data stolen from US police fusion centers.
Researchers at the security firm Sansec have confirmed that North Korea's Lazarus Group is again turning to financial crime, as they use Magecart to skim US and European online shoppers' paycards. Its choice of front sites are interesting—they’re using, among others, an Italian modeling agency, an Iranian vintage music store to troll for victims, and a family-run signed book and collectible shop in, of all places, Wayne, New Jersey, right on the slopes of Garrett Mountain. Sansec believes that the Lazarus Group has been skimming since May of 2019.
A major Nigerian Instagram influencer, Ramon Olorunwa Abbas, better known online by his nom-de-hack "Ray Hushpuppi," was arrested in Dubai and then extradited to the US, where he's now facing charges related to alleged conspiracy to, as the US Attorney for the Central District of California put it, "launder hundreds of millions of dollars from business email compromise (BEC) frauds and other scams." Mr. Hushpuppi's alleged victims include an American law firm, a foreign bank, and an English Premier League football club.
Courts and torts.
Microsoft has obtained a court ruling allowing it to seize six domains used in widespread COVID-19-themed phishing campaigns.
Policies, procurements, and agency equities.
China's new national security law went into effect on June 30th, and is widely viewed as heralding the end of Hong Kong's autonomy. The law is presented as a measure against "secession, subversion, terrorism and collusion with foreign forces," but these terms are notoriously flexible within mainland China, and the BBC calls it "a frighteningly open-ended tool to suppress political agitation." Quartz notes that the law has an international scope, meaning anyone, including foreign nationals, could be arrested when they arrive in Hong Kong or China. Canada has warned visitors to Hong Kong that they "may be at increased risk of arbitrary detention on national security grounds and possible extradition to mainland China."
Nikkei Asian Review says residents of the city, particularly those involved in protests, began scrubbing their online footprints ahead of the law's implementation. The BBC reports that Hong Kong police have already made arrests under the law.
POLITICO says the European Union is considering a coordinated response to the new law, and the UK will offer British National (Overseas) passports and a consequent path to British citizenship to more than three million citizens of Hong Kong, according to the South China Morning Post. The US has suspended defense exports to Hong Kong and plans to announce more comprehensive restrictions on selling dual-use technologies to the city, the Washington Post reports. Secretary of State Pompeo said, "It gives us no pleasure to take this action, which is a direct consequence of Beijing’s decision to violate its own commitments under the U.N.-registered Sino-British Joint Declaration....But given Beijing now treats Hong Kong as 'One Country, One System,' so must we."
The US Cybersecurity and Infrastructure Security Agency (CISA) this week released its strategy document, Securing Industrial Control Systems: A Unified Initiative. The agency describes its strategy as "a multi-year, focused approach to improve CISA’s ability to anticipate, prioritize, and manage national-level ICS risk."
For more, see the CyberWire Pro Policy Briefing.
Fortunes of commerce.
Google, Facebook, and Twitter have temporarily ceased complying with Hong Kong government requests for user data as the companies decide how to deal with Beijing's new national security law, the New York Times reports. TikTok announced that it will be ceasing operations in Hong Kong entirely.
Mergers and acquisitions.
Australian cybersecurity consulting firm CyberCX has acquired Melbourne-based mission-critical network security company Basis Networks for an undisclosed amount, CRN reports.
Canadian cybersecurity firm Herjavec Group has acquired UK-based identity and access management provider Securience.
US-based private equity firm Thoma Bravo has acquired Virginia-based secure collaboration communications provider Exostar. Terms of the deal weren't disclosed.
Finnish mobile phone company HMD Global has acquired mobile cybersecurity software firm Valona Labs (also based in Finland) for an undisclosed amount.
VMware has agreed to acquire the True Visibility Suite business unit of Blue Medora, a Michigan-headquartered IT monitoring company.
Belgium-based quality assurance and cybersecurity firm Eurofins Digital Testing has acquired Scotland-based information assurance company Commissum.
Atlanta, Georgia-based privacy management and compliance firm OneTrust has acquired Seattle-based data discovery startup Integris Software for an undisclosed amount.
Investments and exits.
Palantir released a terse statement announcing that it had confidentially filed for an IPO with the US Securities and Exchange Commission, TechCrunch reports. The company didn't reveal any other information. TechCrunch explains, "Confidential IPO filings allow companies to bypass the traditional IPO filing mechanisms that give insights into their inner workings such as financial figures and potential risks. Instead, Palantir can explore the early stages of setting itself up for a public listing without the public scrutiny that comes with the process."
Redwood City, California-based phishing prevention company Area 1 Security has raised $25 Million in a Series D round led by ForgePoint Capital, with participation from existing investors Kleiner Perkins, Icon Ventures, and Top Tier Capital.
Tel Aviv-based breach protection firm Cynet has raised $18 million in a Series B round led by BlueRed Partners, with participation from Deutsche Telekom, Merlin International, and existing investors Norwest Venture Partners and Ibex Investors.
Israel-based breach and attack simulation provider XM Cyber has raised $17 million in a Series B round from Macquarie Capital, Nasdaq Ventures, Our Innovation Fund, and Swarth Group.
Tel Aviv-based autonomous threat hunting firm Hunters has raised $15 million in a Series A round led by M12 and USVP, with participation from YL Ventures, Blumberg Capital, and Okta Ventures.
UK-based post-quantum cryptography company PQShield has raised £5.5 million (US$6.9 million) from Kindred Capital, Crane Venture Partners, and Oxford Sciences Innovation, as well as angel investors including Andre Crawford-Brunt.
BAE Systems Applied Intelligence has spun off its internally incubated cybersecurity company SOC.OS, Computer Business Review reports. SOC.OS has also raised £2 million (US$2.3 million) in funding from Hoxton Ventures and Speedinvest. The company will offer a SIEM/SOAR solution for medium-sized businesses.
Telefónica Innovation Ventures has invested an undisclosed amount into San Francisco-based OT/IoT security company Nozomi Networks, Fierce Telecom reports.
And security innovation.
The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the seventeen startups chosen to participate in its fifth cyber accelerator. Thirteen of the companies are headquartered in the UK, while four are based overseas and want to expand into the UK market. The UK-based companies are AdvSTAR, BlockAPT, Capslock, CyberHive, InsurTechnix, MIRACL, Nanotego, RedHunt Labs, The CyberFish, Truststamp, VerifiedWhiteList, Zamna, and ZeroGuard. The four international companies are Israel-based ITsMine and ContextSpace Solutions, Netherlands-based BreachLock, and Argentina-based VU Security.
More business news, including executive moves, can be found in the CyberWire Pro Business Briefing.