Russia's GRU blamed for cyberattacks against Georgia.
The US State Department and the UK's National Cyber Security Centre (NCSC) have stated that Russia's GRU was behind thousands of website defacements that targeted the country of Georgia in October 2019. The attacks involved some 15,000 Georgian websites being temporarily knocked offline after being defaced with an image of the country's former president, Mikheil Saakashvili, accompanied by the text "I'll be back."
US Secretary of State Mike Pompeo said on Thursday that the incident "contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries." The NCSC stated that "the GRU conducted these cyber-attacks in an attempt to undermine Georgia’s sovereignty, to sow discord and disrupt the lives of ordinary Georgian people." The Australian government also released a statement condemning the attacks, saying "We will not stand by when cyberspace is used to destabilise democracies, undermine institutions or disrupt critical infrastructure." The Georgian government said the cyberattack "runs counter to the principles and norms of international law and represents another breach of Georgia's sovereignty against the country's European and Euro-Atlantic integration and democratic development."
In their statements, the US and UK also formally attributed the Sandworm threat group (also known as BlackEnergy Group, Telebots, and Voodoo Bear) to the GRU's Main Centre of Special Technologies (GTsST), also known by its field post number as Unit 74455. According to the NCSC, this unit was responsible for the BlackEnergy and Industroyer/CrashOverride attacks against Ukraine's electricity grid in 2015 and 2016, as well as the NotPetya and BadRabbit attacks in 2017. The NCSC notes that the operation against Georgia marks "the first significant example of the GRU using cyber-attacks to disrupt or destroy since late 2017."
It's worth noting that Saakashvili, whose image was used in the attacks, was a staunchly pro-Western president, so it's unlikely that the GRU was seeking to prop him up. Rather, as Khatuna Mshvidobadze told WIRED, the attacks were most likely a false flag operation designed to sow division within the country (and in this, it seems they were successful, according to ZDNet).
Ransomware attack led to gas pipeline shutdown.
An unnamed gas pipeline facility in the United States sustained a ransomware attack that disabled some important operational technology (OT) systems, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). CISA said the attacker used a spearphishing attack to compromise a natural gas compression facility’s IT network, then used this access to move into the facility’s OT network.
The attacker then deployed ransomware against devices on both the IT and OT networks. The OT systems that were affected included human machine interfaces (HMIs), data historians, and polling servers, all of which are used to monitor a plant’s operations. The malware only affected devices running Windows, so it didn’t impact the lower-level programmable logic controllers that actually control physical processes. As a result, the facility’s operators didn’t lose control of the plant’s physical operations, but they weren’t able to track what was going on, so they had to cease operations for two days. Additionally, the whole pipeline had to be shut down until the affected plant had recovered.
Dragos believes CISA is talking about the same attack the US Coast Guard warned about in less-specific terms late last year. That incident involved the Ryuk ransomware. Dragos says the incident described by the CISA alert involves "well-known ransomware behavior and is not an ICS-specific or ICS targeted event." CISA didn't say how the attackers spread throughout the network, but Dragos explains that "current trends in ransomware leverage initial access into victim environments to capture credentials or compromise Windows Active Directory (AD) to gain widespread access to the victim’s entire network." This fits with CISA's statement that only Windows-based machines were impacted.
If Dragos's suspicions are correct, the attack only affected the OT network because it wasn't properly segregated from the IT network, and not because the ransomware was specifically designed to target ICS processes.
Fox Kitten tied to Iranian APTs.
ClearSky researchers have discovered a large espionage campaign which they attribute to Iranian APTs, particularly APT34 (OilRig) with possible participation from APT33 (Elfin) and APT39 (Chafer). ClearSky calls the operation "Fox Kitten," and they believe the campaign displays extensive collaboration between APT34 and APT33.
The threat actors primarily make use of vulnerabilities in various VPN services to gain initial access to their targets. After gaining a foothold, the attackers establish persistence "by opening a variety of communication tools, including opening RDP links over SSH tunneling."
Fox Kitten focuses on organizations around the world in the IT, oil and gas, electricity, aviation, government, and security sectors. The goal of the operation appears to be intelligence gathering and supply chain compromise.
DRBControl targets gambling and betting organizations.
Trend Micro describes a threat actor that's conducting espionage against entities in Southeast Asia, with a particular focus on gambling and betting companies. Trend Micro's researchers believe a previously undiscovered APT is responsible for the activity, and they've dubbed the group "DRBControl." The researchers identified ties between the DRBControl campaign and the China-associated threat groups Winnti and Emissary Panda, although they don't attribute the campaign to either of those groups. DRBControl uses Dropbox for command-and-control communication with its malware, as well as for storing stolen files.
DISA discloses a data breach.
The US Defense Information Systems Agency (DISA) sustained a data breach last year that affected around 200,000 personnel, according to Fifth Domain. Reuters reports that the agency sent letters to people who were potentially affected, saying "During the May to July 2019 timeframe, some of your personal information, including your social security number, may have been compromised in a data breach on a system hosted by the Defense Information Systems Agency." It's not clear if the incident involved an attack or simply a data exposure, but the agency said there was no evidence that the PII was misused.
MGM Resorts suffered data breach last year.
ZDNet and Under the Breach report that personal data belonging to more than 10.6 million guests of MGM Resorts hotels have been posted to a hacker forum. The data include names, addresses, phone numbers, email addresses, and dates of birth. ZDNet confirmed the legitimacy of the data by contacting some of the victims, which included CEOs, government officials, and celebrities.
MGM Resorts told ZDNet that the data had been leaked last summer from a cloud server, and no financial details or passwords were compromised. MGM said it had notified all of the victims at the time, and ZDNet tracked down some online posts from people who said they received these notifications. The leaked data has apparently been circulating in underground forums since July 2019, but this is the first time it's been published on a popular site.
Patch news.
Microsoft revoked a Windows 10 security update after it caused problems for many users, Decipher reports. The update was meant to fix a vulnerability in a third-party UEFI boot manager, which Computer Business Review identifies as Kaspersky Rescue Disk. In April 2019, the Kaspersky feature was found to be able to bypass Secure Boot. Kaspersky says it isn't to blame for the faulty Microsoft update since Kaspersky itself issued a patch for the Rescue Disk vulnerability in August (and TechRadar is inclined to believe the problem is more likely on Microsoft's side). The Microsoft patch was meant to prevent attacks against Secure Boot using older versions of Kaspersky's software. Interestingly, Kaspersky stated that "Microsoft has not reached out to Kaspersky concerning the update issue."
Adobe released out-of-band updates to fix two critical vulnerabilities, Naked Security reports. One (CVE-2020-3764) is in Adobe Media Encoder, and the other (CVE-2020-3765) affects Adobe After Effects. Both vulnerabilities were discovered and reported by researchers working for Trend Micro’s Zero Day Initiative.
Crime and punishment.
Indian police in the Kashmir region have opened a case against at least one hundred people who used VPNs to access banned social media sites, including Facebook, Twitter, and WhatsApp, TechCrunch reports. Reuters quotes Kashmir's cyber police chief as saying, "We have identified 100 social media users and are in the process of identifying more users for misuse of social media, for disseminating fake and false secessionist, anti-India propaganda."
CyberScoop reports that attorneys for Joshua Schulte, the former CIA employee alleged to have leaked the Vault 7 files, have filed for a mistrial on the grounds that prosecutors failed to disclose evidence that could have exonerated Mr. Schulte.
Courts and torts.
Facebook on Tuesday went to court with the IRS in San Francisco over allegations that the company undervalued the intellectual property it sold to Facebook Ireland when it offshored its profits to Dublin in 2010. Facebook says the valuation was appropriate for the level of risk associated with its international expansion at the time, Reuters reports. If Facebook loses the case, it could be on the hook for up to $9 billion in unpaid taxes.
An Australian federal court has ordered Google to hand over any information it has on an anonymous user who posted a single negative review about a dentist in Melbourne, Naked Security reports. The dentist, Matthew Kabbabe, wants to find out who the reviewer is so he can sue them for defamation. According to SBS News, the judge sided with Kabbabe because the dentist's business depends on the Internet.
Policies, procurements, and agency equities.
The European Commission revealed its plan to achieve technological sovereignty. The plan includes "the creation of European data pools enabling Big Data analytics and machine learning, in a manner compliant with data protection legislation and competition law, allowing the emergence of data-driven ecosystems." The New York Times thinks the proposals are "clearer in identifying the problem than in offering specific solutions."
Washington state's senate has approved a bill (SB 6281) that would block state and local government agencies from using facial recognition in most cases, Governing reports. GeekWire says the bill would also regulate companies who work on facial recognition technology and give Washington residents the ability to change, delete, or transfer personal data stored by companies. The bill must now pass the House before it becomes law.
Fortunes of commerce.
AT&T announced on Thursday that it was pulling out of RSA 2020 over concerns about the coronavirus, stating that "We value our participation in industry events like RSA and greatly support the measures taken by event organizers to protect attendees...But it is our responsibility to safeguard our employees. While we are withdrawing our participation for this year, we look forward to returning next year."
RSA said on Friday that Verizon is also cancelling its attendance. Fourteen companies have pulled out of the conference so far, which RSA notes amounts to less than 2% of the number of expected attendees. Seven of the companies that cancelled are from the US, one is from Canada, and six are from China. Three Chinese companies still plan to attend the conference, but RSA says their booths will be staffed with individuals from the US. San Francisco's mayor released a letter on Friday saying "we look forward to welcoming all RSAC attendees and exhibitors to our city," and asked conference participants to "set an example to prevent fear, rumors, and misinformation from guiding our actions."
Reuters says Google plans to move its British user data out of Ireland and into the UK as a result of Brexit, which will put the data under US jurisdiction. It's still not clear if the UK will hold onto GDPR as its data privacy regulation, but Google's move will make the data more accessible to British law enforcement.
Mergers and acquisitions.
Dell Technologies announced on Tuesday that it has agreed to sell RSA Security to Palo Alto, California-based Symphony Technology Group for $2.075 billion, TechCrunch reports. The sale includes RSA Conference, RSA Archer, RSA NetWitness Platform, RSA SecurID, and RSA Fraud and Risk Intelligence. The deal is expected to close within six to nine months, and RSA will continue its normal business operations until then.
Israeli spyware vendor NSO Group has acquired Tel Aviv-based counter-drone technology startup Convexum for US$60 million, CISO MAG reports.
Investments and exits.
Baltimore, Maryland-based social media security company ZeroFOX has secured $74 million in an oversubscribed Series D round led by Intel Capital, with participation from existing investors NEA, Highland Capital Partners, Redline Capital Management, Hercules Capital, and Core Capital. The Maryland Daily Record reports that ZeroFOX is now considering an IPO.
Washington-based Linux security company Polyverse has raised $8 million in a funding round led by its existing investors along with Soliton Systems.
Santa Clara, California-based cloud security provider Netskope has raised $340 million in a funding round led by Sequoia Capital Global Equities, with participation from new investors Canada Pension Plan Investment Board and PSP Investments and existing investors Lightspeed Venture Partners, Accel, Base Partners, ICONIQ Capital, Sapphire Ventures, Geodesic Capital, and Social Capital. Netskope says the investment brings its total valuation to nearly $3 billion.
Palo Alto, California-based code security startup BluBracket emerged from stealth with a $6.5 million seed investment led by Unusual Ventures, with participation from Point72 Ventures, SignalFire, and Firebolt Ventures, TechCrunch reports.
Australian quantum cybersecurity company QuintessenceLabs received an investment from In-Q-Tel, the US intelligence community's investment arm.
Mountain View, California-based endpoint security company SentinelOne closed a $200 million Series E round led by Insight Partners, with participation from Tiger Global Management, Qualcomm Ventures, Vista Public Strategies of Vista Equity Partners, Third Point Ventures, and previous investors. SentinelOne says the investment brings the company's valuation to $1.1 billion.
Fulton, Maryland-based homomorphic encryption company Enveil has received $10 million in a Series A funding round led by C5 Capital, with participation from Mastercard, Capital One Ventures, Bloomberg Beta, and 1843 Capital.
IronNet Cybersecurity, also based in Fulton, Maryland, is raising "up to $53 million," according to the Baltimore Business Journal. The company previously raised $78 million in a major Series B round in May 2018.
San Francisco-based ForgePoint Capital announced a new $450 million investment fund for cybersecurity companies. One of the first recipients of an investment from ForgePoint's fund is Maryland-based SaaS cybersecurity provider Huntress, which received $18 million in a Series A round.
Rick Howard joins the CyberWire.
The CyberWire announced on Friday that Rick Howard, former Chief Security Officer at Palo Alto Networks, has joined the CyberWire's executive team as Chief Security Officer and Chief Analyst. Howard will work on the CyberWire's editorial team and help shape the upcoming CyberWire Pro subscription products.
Howard stated, "The CyberWire has long been a critical resource for me as a CSO and cybersecurity professional. I’m excited to have the opportunity to bring my own expertise, experience, and imagination to this innovative digital media company at this point on its growth trajectory, not to mention being a part of the publications and programs that have always helped me do my job better and are a staple in the professional lives of so many."