By the CyberWire staff
Garmin confirms ransomware attack.
US-based GPS company Garmin sustained a ransomware attack on July 23rd that knocked most of its services offline for five days, Ars Technica reports. The company confirmed the attack on Monday, stating that "many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications....We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services. Affected systems are being restored and we expect to return to normal operation over the next few days."
BleepingComputer and TechCrunch reported that the attack involved WastedLocker, a new strain of ransomware operated by the Evil Corp cybercriminal gang (which was sanctioned by the US Treasury Department late last year). Some reports claimed the criminals demanded a $10 million ransom, according to the BBC. Sky News cites sources as saying Garmin was able to obtain the decryption key but "did not directly make a payment to the hackers," leading to speculation that the company may have paid the ransom through a third party. Garmin didn't respond to these claims, telling Sky News that the company "does not comment on rumour and speculation."
The incident raised questions about the legality of paying a ransom to a sanctioned entity, even if the payment is made through a third party. Sky News says the US Treasury Department "did not respond to questions about whether the general prohibition applied in the circumstances of extortion." Brett Callow from Emsisoft told TechCrunch that the sanctions "seem to create a legal minefield for any company which may be considering paying a WastedLocker ransom."
It's also worth noting, as Motherboard does, that while Evil Corp is notably absent from the growing list of ransomware gangs that use data theft as an extortion tactic, Garmin stores highly sensitive GPS data from its customers, including fitness tracking information and shipping, aviation, and route-planning navigation data. Garmin maintains that there's no indication of any data being stolen, but Emsisoft's Callow told Sky News, "Absence of indication is not indication of absence."
The ABCs of ICS Threat Activity Groups
Find out why threat activity groups are so important to a cyber defense strategy. Dragos and CyberWire are joining forces for this August 26 webinar to cover identification, analysis and attribution of threat groups including an update on the latest groups to surface.
Chinese APT accused of hacking the Vatican.
Recorded Future researchers say a Chinese state-sponsored APT, "RedDelta," infiltrated the networks of the Vatican, the Catholic Diocese of Hong Kong, and several other Catholic organizations ahead of the upcoming renewal of the Vatican's controversial provisional agreement, under which the Chinese government was granted more control over the "underground" Catholic Church within the country. The attackers used well-crafted spearphishing documents to deliver the PlugX malware to the targeted entities. The researchers conclude that "[t]he targeting of entities related to the Catholic church is likely indicative of CCP objectives in consolidating control over the 'underground' Catholic church, 'sinicizing religions' in China, and diminishing the perceived influence of the Vatican within China’s Catholic community."
China said in response to the accusations that its accusers haven't provided conclusive evidence and are engaging in "groundless speculation."
Hacker-for-hire group conducts corporate espionage.
European law firms are being targeted by a "hacker-for-hire mercenary group," ZDNet reports. The group, which is tracked as the "Deceptikons," has been described in Kaspersky's APT Trends Threat Report for 2020's second quarter. The researchers conclude that the group is "clever" as opposed to "technically advanced." The Deceptikons have been active for a decade, and are most interested in collecting financial information, client information, and details of negotiations. Kaspersky doesn’t associate the group with any particular organization, threat actor, or nation-state, but notes that its "repeated targeting of commercial and non-governmental organizations is somewhat unusual for APT actors."
A new newsletter for Women in Cybersecurity from the CyberWire.
The CyberWire is thrilled to announce the launch of our new newsletter focused on connecting women in the cybersecurity field across the globe! The official launch date will be August 3rd, and we will continue publishing monthly on the first Monday of every month. Brought to you by women in the industry, you are invited to join our league of cyber ladies and create lasting connections. Learn more or subscribe here.
North Korean operators phishing with fake job offers.
McAfee researchers describe Operation North Star, a North Korean cyberespionage campaign that targets workers in the defense and aerospace sector with bogus job offers. Pyongyang has used this approach intermittently since 2018. LinkedIn has again been used to communicate the offers, which are subsequently baited with malicious code. McAfee believes the TTPs are sufficiently similar to past campaigns to tie this activity to Hidden Cobra (also known as the Lazarus Group), but the malware and phishing lures are different enough that the researchers conclude the operation "is part of a different activity set."
"Phone spear phishing" led to Twitter hack.
Twitter said Thursday that the social engineering component of the July 15th account takeovers involved a "phone spear phishing attack" (also known as "vishing," or voice phishing). The company explained, "A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7."
GRUB2 flaw allows Secure Boot bypass.
Researchers at Eclypsium discovered a buffer overflow vulnerability (CVE-2020-10713), dubbed "BootHole," that affects the GRUB2 bootloader used by the vast majority of Linux systems. It could be exploited to gain the ability to execute arbitrary code even when Secure Boot is enabled. An attacker would need either administrative privileges or physical access to a device to infect it, however, and Ars Technica points out that if the attacker has those, you’ve got a lot of other problems to worry about. Still, ZDNet observes that "the Secure Boot process was specifically created to prevent even high-privileged admin accounts from compromising the boot process, meaning that BootHole is a major security hole in one of the IT ecosystem's most secure operations."
NSA has issued mitigation advice for the BootHole vulnerability. Fort Meade suggests two useful approaches. Users can update an endpoint’s vulnerable boot components and revoke the trust of existing boot components. This will be suitable for most individual users and small enterprises, in NSA's opinion. Alternatively, for organizations that require higher levels of security, they can implement Secure Boot trust infrastructure and customize their endpoints to use it.
Are you interested in space and communications?
If so, take a look at the Cosmic AES Signals & Space. Aerospace meets outer space. This monthly briefing on cyber security as it relates to the space and SIGINT sectors covers technology, policy, market news and more.
Russian intelligence services spreading pandemic-related disinformation.
Russia's GRU is pushing disinformation about the COVID-19 pandemic through several English-language news sites, US officials told the New York Times and the Associated Press. The US officials said the GRU's Unit 54777, the agency's psychological warfare unit, was responsible for the content posted on InfoRos.ru, Infobrics.org, and OneWorld.press. The AP says the officials explained that the sites "promote their narratives in a sophisticated but insidious effort that they liken to money laundering, where stories in well-written English — and often with pro-Russian sentiment — are cycled through other news sources to conceal their origin and enhance the legitimacy of the information." The sites themselves weren't heavily trafficked, but the Times notes that it's difficult to track the reach of the campaign since the content was designed to be amplified by other sources.
For more, see the CyberWire Pro Disinformation Briefing.
Lazarus experiments with targeted ransomware attacks.
Kaspersky also says the Lazarus Group is trying to enter the big-game-hunting ransomware scene with its own custom ransomware, dubbed "VHD." The VHD ransomware was first observed in limited use earlier this year but hadn't previously been tied to Lazarus. Kaspersky observed two attacks involving VHD, and concluded that the malware itself is "nothing special," and its encryption mechanism may be vulnerable to reversal. VHD's operators also seem to be less experienced than other ransomware groups at lurking within a network and priming the ransomware to cause as much destruction as possible.
However, the attacks were notable for two reasons. First, the ransomware was spread via a component that brute-forced administrative credentials for the SMB service on each machine, then mounted a network share and copied the malware through WMI calls. Kaspersky says this type of "worming capability" is more characteristic of nation-state wiper attacks than sophisticated cybercriminal operations.
Second, one of the VHD incidents involved the MATA framework, and Kaspersky is confident that there was only one threat actor within the victim's network at the time. This finding, combined with the fact that VHD doesn't seem to be sold on criminal forums, led the researchers to conclude that the ransomware is "owned and operated by Lazarus."
CyberScoop observes that this isn't the Lazarus Group's first foray into ransomware; the group has been accused of involvement in the 2017 WannaCry attacks. But those attacks, while destructive, were indiscriminate and largely unsuccessful from a monetary perspective, with the attackers pocketing roughly $140,000. Kaspersky's findings may indicate that the group is interested in conducting more lucrative and sophisticated ransomware operations. Kaspersky concludes that "[o]nly time will tell whether they jump into hunting big game full time, or scrap it as a failed experiment."
For more, see the CyberWire Pro Research Briefing.
Avast pulls VPN servers from Hong Kong.
Avast has moved its VPN servers out of Hong Kong following the passage of China's new national security law. The company stated, "After careful consideration, we have decided (at least temporarily) to pull our VPN servers from Hong Kong. Traffic will be rerouted via nearby locations, such as Taiwan and Singapore. As we learn more about the enforcement of the new law in China, it’s crucial that we keep our eyes open for measures including the potential use of wiretaps and surveillance by the authorities."
Avast said to its users in Hong Kong, "We want to make it clear: we are not giving up on you. We will continue to offer our services so that you can continue to encrypt your connection using our servers in other locations, and in the meantime, we will continue to promote your ability to access a free and uncensored internet for as long as we possibly can. We’ll continue to monitor the situation closely."
More business news can be found in the CyberWire Pro Business Briefing.
Cisco has warned of "the existence of public exploit code and active exploitation" of a vulnerability (CVE-2020-3452) in its Firepower Threat Defense (FTD) network security products. Threatpost cites researchers from Rapid7 who found at the beginning of the week that only ten percent of internet-accessible FTD devices had been restarted (and updated) since last Wednesday.
Researchers at Trustwave disclosed two flaws in the firmware update process of ASUS RT-AC1900P home routers, Naked Security reports. ASUS promptly patched the vulnerabilities, and users are advised to ensure their routers have updated since the patch was released.
Crime and punishment.
Federal authorities in Florida arrested and charged a 17-year-old male as an adult in connection with the July 15th Twitter hack, the Wall Street Journal reported Friday afternoon. The suspect, who lived in Tampa, is facing thirty felony charges.
CyberScoop reports that the US Department of Justice filed a superseding indictment against two former Twitter employees, charging them with acting as an agent of a foreign government without notice to the Attorney General; conspiracy to commit wire fraud and honest services fraud; wire fraud and honest services fraud (conspiracy is its own distinct crime); money laundering; destruction, alteration, or falsification of documents relevant to a Federal investigation; and aiding and abetting. The defendants are alleged to have done these things on behalf of the Kingdom of Saudi Arabia, and they’re alleged to have snooped on a former associate of murdered journalist Jamal Khashoggi.
The European Union on Thursday imposed its first-ever sanctions for cyberattacks, the South China Morning Post reports. The sanctions were levied against four Russian individuals, two Chinese nationals, a Chinese company, a North Korean firm, and the Russian GRU's Main Centre for Special Technologies (GTsST) for their alleged involvement in four high-profile cyberattacks: WannaCry, NotPetya, Operation Cloud Hopper, and the attempted 2018 attack against the Organisation for the Prohibition of Chemical Weapons (OPCW).
Courts and torts.
Not yet a court case, but potentially heading in that distant direction: the heads of Amazon, Apple, Google, and Facebook testified (remotely) before the US House Judiciary Committee’s antitrust subcommittee on Wednesday. The House subcommittee was interested in both anti-competitive practices and the roles the platforms have assumed in moderating content and influencing elections. The Wall Street Journal sees the central issue raised in the session as the economic and social power big data analytics have enabled Big Tech to concentrate. The chiefs’ answers to both questions about alleged anti-competitive practices were to disclaim any attempt to use data they collect on their customers or partners to favor their own business at the expense of those customers or partners. They also said it wasn’t their practice to acquire potential or actual competitors to clear the field for their own products or services.
Messrs. Bezos, Cook, Pichai, and Zuckerberg generally stuck to foreseeable messaging, but observers thought the Congressional inquisitors seemed well-prepared. CNBC concludes that the hearing itself was "spectacular political theater with no substance," but notes that a more consequential outcome of the subcommittee's investigation was the aggregation of more than one million internal documents from the four companies, some of which were released Wednesday. CNBC believes that "these documents should go a long way if and when any action is taken against those Big Tech companies."
Two things seem likely. First, it will be difficult for online services to retain the Section 230 immunities they currently enjoy while they exercise more gatekeeping with respect to content. The role of publisher and neutral public square are likely to prove incompatible. And second, Big Tech's antitrust problems are unlikely to go away; as investigators continue to examine tech companies as incipient monopolies, those companies' access to and use of massive quantities of data will be the entering wedge of antitrust action.
Policies, procurements, and agency equities.
France seems likely to require wireless operators to phase Huawei's equipment out of the country's 5G networks by 2028, Bloomberg reports (via the Press Herald). France's cybersecurity agency, ANSSI, said wireless operators will be issued licenses to use Huawei's gear for three to eight years. Reuters cites a source as saying that the French government told the operators informally that these licenses will not be renewed once they expire. France's finance ministry stressed that "any talk of a ban is rumor and speculation," but most observers note that the move will accomplish the same goal. Reuters explains that even companies that are granted eight-year licenses will probably be dissuaded from buying new Huawei gear.
The US Treasury Department is finishing its review of whether TikTok, the Chinese-owned social network that specializes in sharing short videos, constitutes a national security threat, the Wall Street Journal reports. The Journal also says Microsoft is in discussions to buy TikTok's US operations if its Beijing-based owner, ByteDance, is ordered by the US to divest its ownership of the app.
For more, see the CyberWire Pro Policy Briefing.