Belarus shuts down Internet amid protests.
The government of Belarus largely shut down the country's Internet on Sunday amid protests over the dubious landslide reelection of President Alexander Lukashenko, Vice reports. The government maintains that the Internet disruptions are being caused by DDoS attacks from foreign operators, but most observers are confident that the outages were ordered by Minsk itself. According to the Guardian, the shutdown was administered at the level of Beltelecom (Belarus's national telco) and the Belarusian National Traffic Exchange Centre. The Guardian quotes a source at a Belarusian mobile operator as saying, "We’re in shock from what is happening. It’s going to continue until approximately 14 August. We’ve simply been told that this is what’s happening."
Vice cites Alp Toker, director of NetBlocks, as saying the Belarusian government appears to be using deep packet inspection to block access to any Internet domains that contain one of more than 10,000 specified keywords. Toker says this technique would create the impression of a technical failure, comparing it to a randomized version of China's Great Firewall. Radio Free Europe | Radio Liberty notes that the Belarusian government spent $2.5 million on deep packet inspection technology in 2018, and the government may have been testing it when VPN outages were observed last month.
Some VPN services remained accessible during last week's outages, although many were blocked. The Telegram messaging app became the primary mode of communication and coordination for protesters and others in the country. Telegram founder Pavel Durov, a Russian now in exile, tweeted that "We enabled our anti-censorship tools in Belarus so that Telegram remained available for most users there. However, the connection is still very unstable as Internet is at times shut off completely in the country."
US Secretary of State Pompeo stated Monday that Belarus's election "was not free and fair," and that "[w]e strongly condemn ongoing violence against protesters and the detention of opposition supporters, as well as the use of internet shutdowns to hinder the ability of the Belarusian people to share information about the election and the demonstrations." The European Union said much the same, and Deutsche Welle reports that EU foreign ministers have agreed to impose new sanctions on "those responsible for the violence, arrests, and fraud in connection with the election."
NSA and FBI issue a joint report on GRU malware.
The US National Security Agency and the Federal Bureau of Investigation on Thursday issued a very detailed joint report on a previously undisclosed set of Linux malware dubbed "Drovorub," which the report attributes to the Russian GRU's 85th Main Special Service Center (GTsSS), military unit 26165 (more commonly known as APT28 or Fancy Bear). Drovorub consists of "an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server." The malware can download and upload files, execute commands as root, and set up port forwarding with other systems on the network. The report offers comprehensive technical analyses of each component of the toolset, and it's detailed enough to suggest that the US has extensive visibility into GRU operations.
Interestingly, the report says "Drovorub," which translates to "woodcutter," is the name the GRU operators themselves assigned to the malware. Dmitri Alperovitch points out that "'Drova' is slang in Russian for 'drivers', as in kernel drivers. So the name likely was chosen to mean '(security) driver slayer.'"
Many observers expressed surprise and appreciation at the high level of detail in an NSA publication. The report states, "The release of this advisory furthers NSA’s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, Department of Defense information systems, and the Defense Industrial Base, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders."
US seizes cryptocurrency assets of terror groups.
The US Justice Department dismantled cyber-enabled financing campaigns that benefited ISIS, al-Qaeda, and the al-Qassam Brigades (Hamas’s military wing). The operation involved the seizure of "millions of dollars, over 300 cryptocurrency accounts, four websites, and four Facebook pages all related to the criminal enterprise."
The al-Qassam Brigades solicited bitcoin donations on its social media pages and websites. The group was honest about what the funds would facilitate, boasting "that bitcoin donations were untraceable and would be used for violent causes." During the operation, US authorities covertly took over the group's websites and diverted donations to US-owned bitcoin wallets. US law enforcement has also executed criminal search warrants against US-based donors to this campaign.
Al-Qaeda was similarly direct about the purpose of its fundraising, although in some cases the group posted from social media pages that posed as charities. Even when posting from these pages, however, the group was still "openly and explicitly soliciting funds for violent terrorist attacks."
The third campaign, operated by "Murat Cakar, an ISIS facilitator who is responsible for managing select ISIS hacking operations," involved a COVID-19-related scam site (FaceMaskCenter[.]com) that purported to sell FDA-approved N95 masks. US authorities seized the website and four related Facebook pages.
Qualcomm chip vulnerabilities.
Researchers at Check Point discovered "[m]ore than 400 vulnerable pieces of code" in the digital signal processor (DSP) unit of Qualcomm's widely used Snapdragon chips, which are included in most Android phones. Check Point didn't share many details on the flaws, but said the vulnerabilities could be exploited to turn a phone into "a perfect spying tool, without any user interaction required." The vulnerabilities could also be used to brick the phone or plant unremovable malware.
Qualcomm has issued patches for the flaws, but Ars Technica says that so far no Android devices have implemented the fixes, and Google doesn't seem to have applied them to the Android operating system. Ars says the only thing users can do at the moment is simply follow security best practices for mobile devices and apply patches promptly once they're released.
Check Point stated that it "decided not to publish the full technical details of these vulnerabilities until mobile vendors have a comprehensive solution to mitigate the possible risks described. However, we decided to publish this blog to raise the awareness to these issues. We have also updated relevant government officials, and relevant mobile vendors we have collaborated with on this research to assist them in making their handsets safer. The full research details were revealed to these stakeholders."
Qualcomm said in a statement to Ars Technica, "Regarding the Qualcomm Compute DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store."
SANS Institute discloses data breach.
The SANS Institute, a leading provider of infosec training, disclosed that it had sustained a data breach. The Institute is notifying affected individuals. It discovered the incident on August 6th and traced its source to a phishing attack that a single employee fell for:
"On August 6th, as part of a systematic review of email configuration and rules we identified a suspicious forwarding rule and initiated our incident response process. This rule was found to have forwarded a number of emails from a specific individual's e-mail account to a suspicious external email address. The forwarded emails included files that contained some subset of email, first name, last name, work title, company name, industry, address, and country of residence. SANS quickly stopped any further release of information from the account.
"As a result of this incident, 513 emails were forwarded to a suspicious external email address. Most of these emails were harmless, but some of these emails contained files with personally identifiable information (PII). As a result, approximately 28,000 records of PII were forwarded to a suspicious external email address...
"Upon discovery of the malicious activity, our IT and security team removed the forwarding rule and malicious O365 add-in. We have also scanned for any similar occurrences within all other accounts and across our systems. We have found no other indications of compromise."
For more, see the CyberWire Pro Privacy Briefing.
Adversaries' opinions on the 2020 US election candidates.
The US Office of the Director of National Intelligence on Friday released a statement on election interference. NCSC Director William Evanina says that China, Russia, and Iran are all interested in various forms of interference. Briefly, China dislikes President Trump, whom it regards as unpredictable, and wants him out. Iran also dislikes the incumbent and sees his reelection as likely to mean increased pressure on the Islamic Republic. Russia is denigrating former Vice President Biden, whom Moscow sees as dangerously connected with Ukraine and as part of an anti-Russian establishment.
For more, see the CyberWire Pro Disinformation Briefing.
Water Nue BEC gang targets financial executives.
Trend Micro warns that a business email compromise (BEC) gang has targeted financial executives at more than a thousand companies around the world since March 2020. The group, dubbed "Water Nue," uses spearphishing emails that direct recipients to spoofed Office 365 login portals. After compromising an Office 365 account, the attackers will send "emails containing invoice documents with tampered banking information...to subordinates in an attempt to siphon money through fund transfer requests." The attackers rely on public cloud services to host their infrastructure, and they use legitimate cloud-based email distribution services to send their phishing emails.
While the Water Nue gang isn't technically sophisticated, its techniques have been effective. So far, they've successfully stolen credentials from more than eight-hundred of their targets.
For more, see the CyberWire Pro Research Briefing.
TikTok under review by EU task force.
TikTok announced that it's spending $500 million (€420 million) to set up its first EU-based data center in Ireland. The company says European user data will be stored at this location when the center comes online in early 2022.
Meanwhile, France's data privacy regulator CNIL is investigating TikTok's data collection and transparency practices, according to Reuters. CNIL told Reuters that it "began investigations into the tiktok.com website and the TikTok application in May 2020" after receiving a complaint. TikTok told the publication, "We are aware of the investigation by the CNIL and are fully cooperating with them." Reuters also reports, citing a CNIL spokesperson, that "CNIL is part of a recently established EU task-force on TikTok. It is notably reviewing TikTok’s arrival in the region and its wish for Ireland’s Data Protection Commission (DPC) as its chief oversight national regulator."
For more business news, see the CyberWire Pro Business Briefing.
Patch news.
Google has patched a flaw in Chrome discovered by PerimeterX that could have allowed an attacker with authenticated access to a web server to bypass Content Security Policies (CSP) in Chromium-based browsers, including Chrome, Edge, and Opera. The vulnerability existed in Chrome versions 73 (March 2019) through 83 (July 2020). The flaw has been rated "medium severity," since it required an attacker to have already compromised a web server, but it was so widespread that it presented a considerable risk to user data.
Pulse Secure sent us an update on the recent issues with outdated versions of its VPN server. Scott Gordon, chief marketing officer at Pulse Secure, said:
"Like other vendors, Pulse Secure takes vulnerabilities seriously and continues to apply industry best practices to expedite work with threat researchers and protect our customers. We urge all our customers deploy the security patch fix, available since April 2019, to protect themselves from threat actors and potential attacks. We have already contacted customers that have yet to apply the patch fix multiple times using contact information available to us, and we will continue to do so until [they] deploy the patch to all their systems. For more information, please visit SA44101."
Crime and punishment.
The US Department of Justice, in cooperation with the government of Vietnam, shut down more than three-hundred websites running COVID-19-themed scams. The Justice Department accused three Vietnamese citizens of operating the sites, and the three defendants have been arrested by Vietnamese authorities.
Courts and torts.
TikTok is preparing to file a lawsuit against the Trump administration over the president's recent Executive Order that would ban the company from doing business in the United States, NPR reports. The lawsuit is expected to assert that the order "is unconstitutional because it failed to give the company a chance to respond. It also alleges that the administration's national security justification for the order is baseless."
TikTok employees in the US are planning to file their own lawsuit over the order, according to CNET. One of the lawyers working on the case said "the U.S. government with its overbroad executive order has put employees' Constitutional rights, including the right to be paid, in jeopardy."
Consumer Watchdog is suing Zoom on behalf of the public, alleging that the company "falsely and repeatedly claimed it made use of so-called "end-to-end encryption" to protect communications on its video-conferencing platform in an effort to attract customers and build its brand—in violation of the District of Columbia Consumer Protection Procedures Act ("DCCPPA"), which prohibits unlawful trade practices and false advertising." The lawsuit was filed in Washington DC, and seeks up to $1,500 for every instance in which a DC resident used Zoom for non-business purposes.
Salesforce and Oracle are facing a €10 billion GDPR lawsuit from the Privacy Collective, a group the Register describes as "a legally aggressive privacy campaign group." The lawsuit will allege that Oracle's Bluekai and Salesforce DMP ad-tech platforms misused consumer data by aggregating information from various websites in order to build marketing profiles.
Policies, procurements, and agency equities.
Deutsche Welle reports that the German government is moving forward with plans to create a cybersecurity agency whose mission will include development of advanced cyber defense capabilities. The new organization will receive initial funding of €350 million ($412 million) through 2023. Its interim headquarters will be in Halle, eventually moving to permanent facilities at the Leipzig/Halle Flughafen. Defense Minister Annegret Kramp-Karrenbauer called the measure a "milestone in the protection of our IT systems." When the agency's creation was announced in 2018, Deutsche Welle quoted government officials who likened its purpose to that of America's DARPA.
At DEFCON last week, US Army Brigadier General William Hartman, who commands the Cyber National Mission Force at US Cyber Command, outlined how his organization was working to defend US elections. C4ISRNET reports that General Hartman says the Cyber National Mission Force now has components that "live outside of SCIFs" (that is, outside sensitive compartmented information facilities) in online places where they can take advantage of unclassified networks to gather information and, most importantly, cooperate with other Government agencies and the private sector to share intelligence.
The US and the European Union are in talks concerning a successor to the former Privacy Shield data handling agreement, recently invalidated by the European Court of Justice in its Schrems II decision.
For more, see the CyberWire Pro Policy Briefing.