By the CyberWire staff
Twitter's bad, no good Wednesday.
Twitter sustained a major hack Wednesday afternoon in which a number of high-profile, verified Twitter accounts began posting bitcoin scams. The accounts affected included those belonging to Joe Biden, Barack Obama, Elon Musk, Jeff Bezos, Bill Gates, Apple, Uber, Kanye West, Kim Kardashian, Warren Buffet, and Michael Bloomberg, as well as the Twitter accounts used by major cryptocurrency exchanges and sites (Gemini, Coinbase, Binance, KuCoin, TRON Foundation, CoinDesk).
Twitter said the attack was the result of "what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." In response, the social media platform restricted the ability of all verified accounts to post their own tweets for several hours. The company later added, "Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts."
Twitter's investigation continues, but preliminary reports by Reuters, Motherboard, and KrebsOnSecurity indicate that the hack was perpetrated by criminals involved in the SIM swapping community.
Many observers speculated whether the bitcoin scams were simply a cover for more sinister activity, given the scale of access the attackers had versus the relatively low-impact attacks they actually conducted. That's possible, and the investigation is still in its relatively early stages, but it's looking more like a criminal operation. Brian Krebs even has a suspect to suggest: a sim-swapper (nom de hack "PlugWalkJoe") connected with the ChucklingSquad gang. He’s believed to be an early twenty-something British student somewhere in Spain.
Alex Stamos told CNBC that the attacks "were the equivalent of stealing a McLaren F1, taking it for a joyride and then crashing it into a telephone pole four minutes later." And of course that's something people do, sometimes. (For more visual impact he might have compared it to the chickie run in Rebel Without a Cause.) In general, the incident came to look like a crime without a clear end in view. Reuters reported pre-hack chatter on a grey market forum that’s frequented by gamers, swappers, and skids, and this particular chatter offered to sell Twitter accounts. That suggests low-level criminal activity as opposed to state-directed espionage. It’s not just that offers to sell some stolen commodity appeared. State-run operations do that, too, often when they wish to be mistaken for simple criminals (consider NotPetya as one example), sometimes when they’re letting criminals whose services they’ve suborned profit from their hacking, and occasionally when they themselves wish to profit directly.
But in this case the outcome seemed messy, and disproportionate to the relative smoothness and ambition of the hack. Reuters quoted Allison Nixon, chief research officer at security consultancy Unit 221B, who said “When you have these less professional criminal groups, you see chaotic outcomes. One member might stumble across a powerful hack, and it spirals out of control. That’s probably what happened here.”
Consider a comparison. When the Mirai botnet first appeared, and took down Internet service across a much of the eastern United States, it wasn’t, as was widely believed at the time, a Russian shot across the American bow, but rather the work of a student at Rutgers who was pursuing some vaguely conceived grifting, like clickfraud, or taking down his rivals in selling Minecraft commodities.
The Wall Street Journal says the FBI is investigating the incident.
Increase your effectiveness in stopping, containing, & preventing attacks.
US goes on (and has been on) the offense in cyberspace.
US President Trump said in an interview with the Washington Post that he had authorized a US Cyber Command response to Russian interference in the 2018 midterm elections. The Post had reported on the cyber operation in February 2019, sourcing the story to unnamed US officials, but this is the first time the President has claimed direct involvement. The attack knocked the Internet Research Agency offline in a demonstration intended, it was said at the time, to show the Russian government that cyber operations, particularly influence operations, would not be "cost-free." The New York Times says the 2018 operation was intended as both a deterrent and a realistic test of US capabilities against an actual adversary.
Yahoo News reports that in 2018 President Trump also signed a presidential finding authorizing the US Central Intelligence Agency to conduct offensive cyber operations against foreign targets, particularly Iran, China, Russia, and North Korea. A former US official told the publication that the agency has conducted "at least a dozen operations that were on its wish list" since the finding was signed. According to the official, these included both physically destructive cyberattacks ("stuff is on fire and exploding") as well as "public dissemination of data: leaking or things that look like leaking."
The people speaking on background for the story told the reporters that Langley had been to some extent divided on the advisability of offensive cyber operations, but that the CIA had sought such authority for years, going back at least two Administrations. Former CIA general counsel Robert Eatinger, who did speak on the record, had no knowledge of the 2018 finding, but he did confirm that there had for some time been two camps at Langley: those who saw restraint in cyberspace as prudent and valuable, and others who sought authority for more offensive cyber operations.
Yahoo says neither the CIA nor the National Security Council responded to their requests for comment.
Your security team is good. Make them superstars.
You’ve probably got some pretty good security people on your team. They’re also probably overworked, and the last thing they need is another noisy tool to distract them with false positives and busy chatter. So give them the tools they need to excel: seamless, low-friction network visibility and easy-to-use behavioral analytics. Reservoir Labs’ enterprise-class, high-speed network sensing and spectral hypergraph analytic solutions are based on rock-solid, advanced algorithms that give experts the situational awareness they need to do their jobs. Whether you’re a commercial business or a government agency, Reservoir Labs will help your security people up their game. (They’ll thank you.) Learn more about our high performance network visibility solutions at reservoir.com/cyberwire-weekthatwas.
Cozy Bear targets COVID-19 vaccine research.
Russia's Foreign Intelligence Service (SVR) has been conducting espionage against UK, US, and Canadian organizations involved in the development a COVID-19 vaccine, according to an advisory issued by the UK's National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the US National Security Agency. Australian intelligence services also declared their agreement with the advisory, stating, "The targeting of COVID19 vaccine development and research during a pandemic is completely unacceptable behaviour."
The NCSC's report assessed that APT29 (also known as "Cozy Bear" or "the Dukes"), a threat actor commonly attributed to the SVR, has been delivering custom malware dubbed "WellMess" and "WellMail" via publicly available exploits and spearphishing. The vulnerabilities exploited include CVE-2019-19781 in Citrix Application Delivery Controllers (ADC) and Gateways, CVE-2019-11510 in Pulse Secure VPNs, CVE-2018-13379 in Fortinet's SSL VPNs, and CVE-2019-9670 in the Zimbra Collaboration Suite.
Students and members of the military, don't be left out of CyberWire Pro! We've got you!
Due to your student or military status (active or reserve military status), you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit here and click on the Contact Us button in the Academic or Government & Military box.
Four of the Five Eyes scowl in unison.
British Foreign Secretary Dominic Raab informed Parliament this week that Russian operators targeted the UK's 2019 general elections, seeking to influence voters through illicitly obtained "sensitive Government documents relating to the UK-US Free Trade Agreement." The campaign staged the material through Reddit. It was a leak-and-dump campaign, with amplification through multiple channels. UK officials did not see a comprehensive, intensive influence effort, but they did observe what they take to be nonetheless a clear attempt by Russian actors to shape voting. The Sydney Morning Herald has an account of how the stolen trade documents Foreign Secretary Raab mentioned were used: they served to drive the Labour Party's implausible contention that the Tories intended effectively to privatize the National Health Service and sell it to the Americans.
Russia reacts to accusations of cyberespionage and online influence operations.
Russia's embassy in London, responding to "unfriendly statements by Foreign Secretary Dominic Raab," (see above) said that Russia didn't hack any biomedical research, didn't attempt to influence any "democratic elections," and that it reiterated its offer to jointly investigate and adjudicate cyber issues. The statement closed with this: "We have also taken note of the Foreign Secretary’s suggestion that the UK Government reserves the right to respond with appropriate measures in the future. In this regard, we would like to state once again that any unfriendly actions against Russia will not be left without a proper and adequate response."
A look at Charming Kitten, facilitated by some careless opsec.
IBM's X-Force has gained some insight into Iran's ITG-18, a threat group IBM says "overlaps" Charming Kitten and Phosphorus, including the threat group's training videos, left exposed by an Iranian operator's opsec fumbles. It was an unusual opportunity to see how Tehran’s operators actually behave at the keyboard, and it confirmed at least two widespread impressions. First, the Iranian operators indeed devote time and attention to building target packages on individuals. And second, multifactor authentication really does seem to increase the attackers’ friction, sometimes to the point of dissuading them entirely. As IBM’s report put it, “During the videos where the operator was validating victim credentials, if the operator successfully authenticated against a site that was set up with multifactor authentication (MFA) they paused and moved on to another set of credentials without gaining access.”
The Molerats return.
ESET says the Molerats, also known as the Gaza Hackers, have resurfaced with Welcome Chat, an app that represents itself as offering secure messaging. It does indeed deliver messaging, but security not so much: it’s a spyware carrier by design, targeting Arabic speakers in the Middle East. “Not only is Welcome Chat an espionage tool; on top of that, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.” Welcome Chat requests an extensive list of permissions upon installation, and it's designed to call back to its command-and-control server every five minutes.
Forescout and Advent reach an agreement.
Forescout and Advent International have reached an amended merger agreement "under which Advent will acquire all outstanding shares of Forescout common stock for $29.00 per share." As a result of the agreement, Forescout has dropped its lawsuit against Advent, which it had filed in the Delaware Court of Chancery in May when Advent put the acquisition on hold.
More business news can be found in the CyberWire Pro Business Briefing.
More Chinese tax software with built-in malware.
Trustwave released a report on another strain of malware built into Chinese tax software designed to compromise the networks of companies doing business in China. This report describes malware dubbed "GoldenHelper," which the researchers say is "entirely different from GoldenSpy, although the delivery modus operandi is highly similar." GoldenHelper was used in a campaign that ran from January 2018 to July 2019, and was embedded in "Golden Tax Invoicing Software (Baiwang Edition), required by Chinese banks for payment of VAT taxes." GoldenHelper, like GoldenSpy, is tied to Aisino Corporation, one of only two companies authorized to produce tax software under China's national Golden Tax project.
For more, see the CyberWire Pro Research Briefing.
Want to get your message to leaders in cyber?
Security leaders across the globe trust the CyberWire and depend on us every day to deliver the news and analysis they need to do their jobs. That’s also why so many top security companies and hot startups trust us to help get the word out about their brand and fill their sales funnels. We have lots of great sponsorship opportunities that can help you get the word out too. Learn more at thecyberwire.com/sponsorship.
Patch news.
This past week's Patch Tuesday appears to have been Microsoft's second largest ever, according to BleepingComputer. The tally of 123 vulnerabilities addressed is exceeded only by last month's round, which fixed 129 bugs. Eighteen of this month's vulnerabilities are rated critical, with the most severe being CVE-2020-1350 (CVSS score of 10), a "wormable" flaw in Windows Server versions from 2003 to 2019 that Microsoft expects to be exploited soon. Redmond explained, "We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction. DNS is a foundational networking component and commonly installed on Domain Controllers, so a compromise could lead to significant service interruptions and the compromise of high level domain accounts....Microsoft recommends everyone who runs DNS servers to install the security update as soon as possible. However, if you are unable to apply the patch right away, Microsoft recommends that you use the workaround as soon as possible to protect your environment in the time before you install the updates." CISA issued Emergency Directive 20-03 on Thursday instructing US Federal agencies to implement mitigations against the vulnerability by 2:00 PM Friday, and to apply the patch by 2:00 PM next Friday.
Researchers at Check Point, who discovered the Windows DNS Server vulnerability, explain that "[t]he flaw is in the way the Windows DNS server parses an incoming DNS query, and in the way it parses a response to a forwarded DNS query. If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling the hacker to take control of the server."
SAP SE also patched a vulnerability with a CVSS score of 10 (CVE-2020-6287) affecting SAP NetWeaver AS JAVA versions 7.30, 7.31, 7.40, and 7.50. Onapsis discovered the flaw, and says it "affects a default component present in every SAP application running the SAP NetWeaver Java technology stack. This technical component is used in many SAP business solutions, including SAP SCM, SAP CRM, SAP PI, SAP Enterprise Portal and SAP Solution Manager (SolMan), impacting more than 40,000 SAP customers." CISA urges SAP customers to apply the patch as soon as possible.
Other vendors also patched. Adobe’s security updates addressed issues in Creative Cloud Desktop, Media Encoder, Download Manager, Genuine Service, and ColdFusion. Threatpost characterizes this round of patching as "light," but it does note that four of the vulnerabilities are rated "critical."
Crime and punishment.
Yevgeniy Nikulin was convicted Friday of breaching internal networks at LinkedIn, Dropbox, and Formspring in 2012, and of then selling the services’ user databases on the black market. ZDNet reports that he took a total of 117 million user records from LinkedIn, information on 68 million Dropbox users, and 30 million “details” on Formspring users. He was arrested in October 2016 while vacationing in Prague and was held in response to a US-issued INTERPOL Red Notice prompted by criminal complaints the three companies had filed in 2015. In the summer of 2017 Czech authorities extradited Mr. Nikulin to the US. It took the jury slightly less than six hours Friday to reach a unanimous guilty verdict, CyberScoop reports. That conviction came as something of a surprise given the strong criticisms the presiding US Federal judge made of the prosecution’s case last week, deriding it as not only boring, but also frequently irrelevant. The jurors apparently found it neither. Mr. Nikulin is expected to be sentenced on September 22nd.
Courts and torts.
A Tel Aviv District Court has rejected Amnesty International's bid to force the Israeli Ministry of Defence to revoke NSO Group's export license, SecurityWeek reports.
Policies, procurements, and agency equities.
The Court of Justice of the European Union (CJEU) ruled on Thursday that the EU-US Privacy Shield was insufficient to protect EU citizens from surveillance by the US, the BBC reports. The Privacy Shield is a framework designed to help companies comply with data protection laws when transferring personal data from the EU and Switzerland to the US.
The UK has reversed its earlier decision to allow Huawei's equipment to play a limited role in its 5G networks, and will require all Huawei gear to be removed by 2027, the Guardian reports. The BBC says Tory backbenchers are unsatisfied with this timeline and want the Chinese company's equipment removed sooner, but the move is still a significant blow to Huawei.
For more, see the CyberWire Pro Policy Briefing.