NSA discloses serious Windows vulnerability.
Microsoft on Tuesday released a patch for a serious spoofing vulnerability (CVE-2020-0601) in Windows 10, Windows Server 2016, and Windows Server 2019 affecting the way Microsoft's CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography certificates. Microsoft explained that "an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider." The ramifications of this are far-reaching and severe.
As KrebsOnSecurity first reported, Microsoft was tipped to the vulnerability by the US National Security Agency. Anne Neuberger, the head of NSA's Cybersecurity Directorate, confirmed this in a media call on Tuesday, saying that NSA discovered the vulnerability in the course of its routine look at the range of tools it uses. Given the wide-ranging threat posed by the vulnerability, NSA decided to disclose the flaw to Microsoft. Neuberger recommended that network owners immediately implement the patch, as, she said, "we ourselves will be doing."
Also on Tuesday, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring Federal agencies to patch their Windows systems within ten business days or remove them from their networks.
Neither NSA, CISA, nor Microsoft have seen any exploitation of the vulnerability in the wild, but NSA warned on Tuesday that "sophisticated cyber actors will understand the underlying flaw very quickly." They were correct—by Thursday, ZDNet reported that two exploits for the flaw had been publicly released, so urgency in patching is warranted. Security researcher Saleem Rashid also demonstrated how the vulnerability could be exploited to spoof certificates (although Rashid refrained from releasing his code until after the other two exploits had been posted).
The Washington Post sees NSA’s disclosure as representing a shift in policy, and indeed Neuberger did say that it was a "change in approach." WIRED and others note that, unlike EternalBlue, NSA didn't exploit this vulnerability for its own purposes before disclosing it to Microsoft. But the real change in approach was NSA’s decision to allow its disclosure to be made public; it has disclosed vulnerabilities in the past, but there's an unprecedented openness in this most recent disclosure.
Proof-of-concept exploits published for Citrix vulnerability.
ZDNet reports that two exploits for a critical path-traversal vulnerability (CVE-2019-19781) in Citrix's Application Delivery Controller and Gateway products have been posted to GitHub. Tens of thousands of organizations are estimated to be vulnerable to the flaw, which can allow an attacker to gain remote access to a network without authentication. Bad Packets and others have been observing mass scanning targeting vulnerable Citrix servers, and JPCERT says attacks exploiting the vulnerability are already taking place.
Citrix is still developing patches for the flaw, which are expected to be released by the end of January, but the company recommends implementing mitigations as soon as possible. The Dutch National Cyber Security Centre (NCSC) warns, however, that "there is currently no good, guaranteed reliable solution for all versions of Citrix ADC and Citrix Gateway servers." The NCSC recommends that these servers be turned off, if possible, until patches are available. Ars Technica notes that CISA has released a tool for administrators to test whether their Citrix software is vulnerable.
Burisma possibly hacked by Fancy Bear.
Area 1 has published research indicating that Russia’s GRU in November of 2019 began a phishing campaign against the Ukrainian energy company Burisma Holdings. The goal was to obtain email credentials from Burisma and its subsidiaries and partners. Burisma is the company whose connections to former US Vice President Biden’s son, Hunter Biden, were at the center of the impeachment inquiry directed at US President Trump, who wanted a Ukrainian investigation of those connections and is accused of having abused his office in pressuring his Ukrainian counterpart.
It’s worth noting that while Area 1’s report has been widely accepted, the Burisma hack is still a developing story. As E&E News points out, the story absolutely passes the "laugh test," but the report is also "heavy on conclusions about Russia's involvement in the latest hacking campaign targeting Ukraine but light on technical evidence."
In any case, Reuters reports that Ukrainian authorities have asked for the FBI's assistance in investigating the alleged Burisma hack and related matters. According to ABC News, Ukrainian police believe the attack was "probably committed by the Russian special services." The White House also says President Trump may raise the Burisma hacking affair in his next discussion with Russian President Putin.
APT40 tied to companies in Hainan.
ZDNet reports that the anonymous security analysts of Intrusion Truth have uncovered thirteen companies, operating for the most part from Hainan, a large island in province in the South China Sea, that appear to serve as fronts for APT40. APT40 is a threat group associated with the Chinese government and best known for espionage on behalf of the People’s Liberation Army Navy.
Intrusion Truth has posted its findings throughout the week. The thirteen Hainan companies are all hiring people with offensive cyber skills and useful linguistic capabilities (for example, some of the job ads look for English, Indonesian, and Cambodian linguists). Notably, one of the companies was advertising positions for Cambodian linguists between March and April 2018, while APT40 was targeting Cambodian electoral entities ahead of that country's general election in July 2018. As Intrusion Truth puts it, "we have multiple companies with identical descriptions and job adverts, overlapping contact details and office locations, but different names, recruiting for offensive hacking skills. Like Boyusec, Huaying Haitai, Antorsoft, and others, these companies have very little presence on the Internet outside of these adverts."
The researchers traced the companies back to a single intelligence officer, and they conclude that "[e]ither a Hainan intelligence officer has a side-hustle running a business empire of at least 13 'fast-growing, high-tech information security companies', and that business empire has a side-hustle recruiting people with knowledge of the languages spoken in APT40 target countries coincidentally in the months preceding APT40 attacks in those countries, and on the same island that we know APT40 runs its operations....Or, APT40 is run by Ding Xiaoyang, an intelligence officer at the Hainan State Security Department."
Ransomware and data breaches continue to overlap.
The Maze ransomware operators continue the new trend in which extortionists steal data before encrypting it in order to dox victims who refuse to pay the ransom, BleepingComputer notes. Southwire, a metal manufacturer based in Carrollton, Georgia, not only declined to pay, but filed a lawsuit against the Maze operators (named in the suit as "John Doe") and sought injunctions against the Irish hosting provider that hosted the group's website. The injunctions Southwire obtained resulted in the site being shut down, but the criminals shifted their operations to a Russian hacker forum, where they’ve posted 14.1 gigabytes of what they claim are files stolen from Southwire.
BleepingComputer also reports that the Nemty ransomware operators plan to follow this approach by setting up a blog on which to post stolen data from stubborn victims. BleepingComputer observes that this method gives attackers more leverage over their victims, since even companies who keep adequate backups will have to face "fines, data breach notification costs, loss of trade and business secrets, tarnishing of brand image, and potential lawsuits for the disclosing of personal data." On the other hand, unlike in traditional ransomware attacks, where the victim pays a ransom and (hopefully) receives a working decryption key, victims of data theft extortion have no way of knowing if the attackers will keep their word, even after they've paid the ransom.
SIM swappers turn to RDP.
Motherboard has found that hackers are using Remote Desktop Protocol (RDP) at telecom companies to carry out SIM swapping attacks directly, whereas in the past they've primarily relied on social engineering and bribes to get telecom employees to give them control over phone numbers. In this new technique, social engineering is still involved to trick employees into giving the attackers access to RDP software, but once the attackers are in, they're able to make the changes themselves. One of these attackers told Motherboard that "Some employees and managers are absolute brain dead and give us access to everything they own and that's when we start stealing." T-Mobile, AT&T, and Sprint are believed to be the telecom companies most affected by this technique. All three companies told Motherboard that they're aware of the tactic and they've implemented preventative measures.
In addition to the CryptoAPI vulnerability outlined above, Microsoft's Patch Tuesday update includes fixes for several vulnerabilities in Windows's remote access tools that could enable remote code execution without authentication or user interaction, Naked Security observes. CISA's emergency directive also made mention of these vulnerabilities.
Tuesday also marked the end of support for Windows 7, although the Verge notes that 26 percent of PCs are still running the now-antiquated operating system.
Oracle released 334 security fixes across 94 products, ZDNet reports. 191 of the vulnerabilities can be exploited remotely without authentication.
Crime and punishment.
The US FBI, in coordination with the UK's National Crime Agency, the Netherlands National Police Corps, Germany's Bundeskriminalamt, and the Police Service of Northern Ireland, seized the domain of WeLeakInfo, a website that offered a subscription service for access to stolen data. The US Department of Justice said the site provided subscribers with a search engine to look through more than 12 billion stolen records gathered from over 10,000 data breaches. ZDNet notes that Dutch police arrested a man in Arnhem for suspected involvement in the site's operation, and NU.nl reports that another man was arrested in Northern Ireland.
Courts and torts.
Israeli spyware company NSO Group is facing a court hearing in Tel Aviv as Amnesty International seeks to have the company’s export license revoked, Verdict notes. Reuters reports that a Tel Aviv District Court judge has banned the public and the media from the hearings at the request of Israel's defense ministry, citing national security concerns.
Zscaler will pay $15 million to Broadcom settle two patent infringement lawsuits filed by Symantec in 2016 and 2017, CRN reports. Broadcom, which purchased Symantec in November, will provide Zscaler with a patent license, release, and covenant not to sue.
Policies, procurements, and agency equities.
The FBI announced a new policy to give state and local election officials "timely" notifications of cyber incidents affecting election infrastructure, The Hill reports. The Bureau's previous approach was to alert the immediate victims of a cyberattack, but not necessarily anyone else. The FBI hopes that "this new policy will result in increased collaboration between all levels of government for the integrity and security of U.S. elections."
Turkey has restored access to Wikipedia after the country's Constitutional Court that the ban was a violation of free speech, Bloomberg reports.
As the UK approaches its decision on Huawei's potential role in the nation’s 5G infrastructure, the Guardian reports that Her Majesty's Government has already taken into account the most recent US concerns, and the country seems likely to conclude that any risk associated with Huawei is manageable. The US has warned that too much Huawei in the infrastructure would force American intelligence services to constrain the way they share information with their British counterparts, but MI5's Director General Andrew Parker told the Financial Times that he thinks the special relationship is too long-standing, too close, and too special for matters to go that far. That said, there’s no denying that the US has been both assertive and consistent on the risks posed by Huawei.
Meanwhile in the US, the Federal Communications Commission appears to be seeking to expand its ban on Huawei and ZTE gear, according to JDSupra. Additionally, CNBC reports that the US Department of Commerce "has drafted a rule that would lower the threshold only on exports to Huawei to 10% and expand the purview to include non-technical goods like consumer electronics including non-sensitive chips." Commerce reportedly sent this rule to the Office of Management and Budget last week, and the measure is now presumably awaiting approval from other government agencies.
Fortunes of commerce.
UC Berkeley’s Center for Long-Term Cybersecurity (CLTC) and Booz Allen Hamilton have released a report outlining four tensions they believe will shape board governance of cybersecurity. These four tensions are "an organization’s overall risk model or mindset; distribution of cybersecurity expertise on the board; balance between cooperation and competition with other enterprises; and the model for information flows between management and the board."
US Army Cyber Command is looking to fill positions as it moves its headquarters to Fort Gordon, the Augusta Chronicle notes.
Mergers and acquisitions.
Switzerland-based technology company Acronis has purchased Florida-based Microsoft Cloud security and management provider 5nine for an undisclosed amount.
Santa Barbara, California-based IT performance monitoring company LogicMonitor has acquired Sweden-based AIOps company Unomaly.
Los Angeles-based private investment firm Skyview Capital has purchased Maryland-based network security and digital forensics company Fidelis Cybersecurity.
Apple has acquired Seattle-based artificial intelligence startup Xnor.ai for $200 million, AppleInsider reports.
Swedish public key infrastructure provider PrimeKey has acquired Australian cryptography company Crypto Workshop.
Fairfax, Virginia-based ICF International will acquire Arlington, Virginia-based cloud services provider Incentive Technology Group, LLC (ITG) for $255 million.
Atlanta, Georgia-based risk management firm LexisNexis Risk Solutions is buying San Diego-based credit and fraud risk solutions provider ID Analytics from NortonLifeLock for $375 million, CRN reports.
Israeli digital forensics firm Cellebrite has acquired San Jose, California-based computer forensics company BlackBag Technologies for $33 million, 9to5Mac reports.
Alameda, California-based software development company Wind River has acquired Washington, DC-based embedded systems security company Star Lab for an undisclosed amount, the Valdosta Daily Times reports.
Investments and exits.
Canadian DevSecOps software provider Security Compass has received growth equity funding from FTV Capital.
Redwood City, California-based data layer security company Cyral has secured $11 million in a Series A funding round led by Redpoint Ventures, with participation from A.Capital, Costanoa VC, Firebolt Ventures, SV Angel, and Trifecta Capital.
AKUA, an IoT sensor data intelligence company with offices in San Francisco and Baltimore, has received an investment from Momenta Ventures.
Arizona-based passwordless multi-factor authentication provider Trusona has raised $20 million in Series C funding led by Georgian Partners, with participation from Akamai and existing investors Kleiner Perkins, M12, OurCrowd, and Seven Peaks Ventures.
Atlanta, Georgia-based cybersecurity awareness training company Curricula has raised $3 million in Series A funding led by RCP Equity, Hypepotamus reports.
Atlanta-based pentesting and red teaming company Raxis has received a "major outside investment" from RCP Equity, the amount of which was not disclosed.
Sydney and Chicago-based anti-bot company Kasada received $7 million in Series A funding, with In-Q-Tel as its latest investor, TechCrunch reports.
And security innovation.
A security researcher working for Airbus performed a "Stuxnet-type attack" on a Schneider Modicon M340 programmable logic controller, according to CyberScoop. The research will be used in a security training course for Airbus Cybersecurity.