“Where other men blindly follow the truth, Remember, nothing is true.
Where other men are limited by morality or law, Remember, everything is permitted.
We work in the dark to serve the light.
We are assassins.”
―
Where other men are limited by morality or law, Remember, everything is permitted.
We work in the dark to serve the light.
We are assassins.”
―
Google says goodbye to the cookie monster, increasing user privacy
The
search giant is planning to "render obsolete" a key tool advertisers
use to track people around the web, stopping to support third-party
cookies in its Chrome browser.
FCW
January 9,
2020
Representatives
from three of the largest U.S. voting system manufacturers expressed openness
to new federal regulations to bolster confidence about the security of their
products. Whether any of them will come to fruition and what effect they would
have is less clear. The three companies, Election Systems and Software,
Dominion Voting Systems and Hart InterCivic, have a history of resisting
outside scrutiny of their products. Under a battery of questioning from
lawmakers at a Jan. 9 House Administration Committee hearing, they said they
would support a range of new regulatory and reporting requirements for their
companies and the election industry as a whole. Those potential requirements
include a congressional mandate that states purchase voting machines with paper
records and conduct post-election audits for every vote cast, new public
reporting on security risks associated with their equipment and new federally
crafted guidelines for how to best set up their supply chains. "I think we
would support any requirements that [apply] to all vendors in our industry that
would help educate users of our system and anyone who interacts with
them," said Tom Burt, CEO of ES&S.
Federal
News Network
January 9,
2020
The
Cyberspace Solarium Commission — a panel consisting of lawmakers from both
sides of the aisle, senior agency executives and private sector leaders — plans
to release its first report, along with a set of 75 recommendations, sometime
within the next few months. Those recommendations will revolve around a central
theme of getting government to react more quickly and decisively in response to
cyber attacks, in a new take on the decades-old concept of security through
deterrence. “The fundamental thing we’ve been grappling with is that, unlike
nuclear weapons, for example, you don’t need necessarily access to nation-state
resources to have access to very powerful cyber weapons,” Rep. Mike Gallagher
(R-Wis.), co-chair of the congressionally established Cyberspace Solarium, said
Tuesday at the Council on Foreign Relations in Washington. “In other words, you
don’t need to be a great power to have a great impact in cyber. And deterrence
is hard enough when it comes to dealing with nation state actors, where the
decision makers are known but yet still unpredictable. It becomes even more
difficult when you’re dealing with non-state actors who may not be known and
whose identities are obscure or nation states that intentionally try to obscure
their activities in cyberspace.” That’s why the commission is looking at a
strategy built around deterrence through punishment. In other words,
retaliation for cyber attacks should be swift, decisive, consistent and public.
The idea is that clear, consistent consequences will make adversaries less
likely to instigate attacks.
Gov Info
Security
January 9,
2020
Two
Democratic Congressmen have sent letters to nine federal financial regulatory
agencies asking that take action to shore up cyber defenses in the sector
because of looming security threats from Iran. The move comes in the wake of a
U.S. drone attack last week that killed Iranian Major General Qasem Soleimani
and Iran's retaliatory missile strikes this week against bases in Iraq housing
American troops. In their letter sent this week, Democratic representatives
Emanuel Cleaver II, D-Mo., and Gregory Meeks, D-N.Y., who both sit on the House
Financial Services Committee, wrote that there is an impending threat to the
financial services infrastructure, not only in the U.S. but across the globe.
They urged the regulatory agencies to strengthen the cyber protections that
guard against disruption in financial markets.
Nextgov
January 9,
2020
A
half-dozen lawmakers asked the Federal Communications Commission to require
wireless carriers to better protect consumers from new forms of phone
hijacking. In a letter authored by Sen. Ron Wyden, D-Ore., and signed by five
House and Senate members, lawmakers pressed FCC Chairman Ajit Pai to use the regulatory
agency’s authority over wireless carriers to respond to a growing number “SIM
swap scams.” In these scams, fraudsters convince wireless carriers to transfer
mobile accounts over to them, where they can hijack login credentials and
commit other crimes, such as emptying victims’ bank accounts. Increasingly,
scammers are using these attacks to bypass two-factor authentication that
relies on text messages. Once scammers take ownership of a mobile account,
texts and calls intended for the victim go to scammers instead. “Consumers have
limited options to protect their wireless accounts from SIM swaps and are often
not informed about these options by carriers until after they have been
victimized,” the lawmakers write. “Consumers have no choice but to rely on
phone companies to protect them against SIM swaps—and they need to be able to
count on the FCC to hold mobile carriers accountable when they fail to secure
their systems and thus harm consumers.”
The Hill
January 8,
2020
The House
on Wednesday passed a slew of bills aimed at giving the U.S. a leg up over
China in the race to implement the super-fast next-generation wireless networks
known as 5G. The trio of bipartisan bills, which passed the House
near-unanimously, would funnel U.S. government resources into steering
international wireless policy while securing the burgeoning networks against
cyberattacks and foreign influence. The legislation comes as the U.S. works to
win the "race to 5G," which will enable a generation of
Internet-connected devices and offer mobile data speeds up to 100 times what is
currently possible. Congress and the Trump administration have been working to
diminish the power of Chinese telecommunications companies currently dominating
the 5G industry while pouring more money into efforts to build out the networks
in the U.S. “All three of these bills are important for securing America’s
wireless future, and we hope they won’t languish in the Senate," Energy
and Commerce Committee Chairman Frank Pallone, Jr. (D-N.J.) and communications
subcommittee Chairman Mike Doyle (D-Pa.) said in a statement. The House on Wednesday
also passed a resolution calling on the U.S. to follow a set of international
cybersecurity standards as it develops 5G capabilities.
ADMINISTRATION
FCW
January 10,
2020
It's a new
year -- and a new cybersecurity regime for vendors working on defense contracts
is coming. The Defense Department has been steadily working on its new unified
standard, the Cybersecurity Maturity Model Certification (CMMC), and is
expected to release a final version and a list of accrediting bodies in
January. But while companies shouldn't wait until things are finalized to prep
for certification, many are stuck. "CMMC is going to be law of the
land," Corbin Evans, the director of regulatory policy for the National
Defense Industrial Association, told FCW, yet "folks are a little hesitant
to make any major moves." Evans said a proposed rule to amend the Defense
Federal Acquisition Regulation is expected this summer to solidify language and
regulatory authority to include CMMC to contracts and that it's possible
"they may try and stretch and amend the FAR itself." DOD recently
announced that Ty Schieber, the senior director for executive education at the University
of Virginia’s Darden School Foundation, will head a 13-member governing body
for the organization charged with certifying auditors.
Fifth
Domain
January 10,
2020
From 2013
to mid-2018, U.S. Cyber Command built its cyber mission force — the 133-team,
roughly 6,200-person cadre of personnel that conduct cyber operations.
Following the build out of those teams, Cyber Command asserted that the focus
would shift to readiness, or maintaining the teams and ensuring they remained
fully capable of performing missions. Now the Department of Defense has taken a
critical step with its cyber teams by establishing metrics that define work
roles and readiness, a top official said Jan. 9. “We now have a signed document
from the secretary that defines what a cyber operating force is,” Maj. Gen.
Dennis Crall, deputy principal cyber adviser and senior military adviser for
cyber policy, said at an AFCEA hosted lunch. And these metrics are “big wins,”
Crall said. Crall said that — unlike in the air, ground and maritime space —
processes for defining and understanding readiness and concrete work roles,
especially for defensive cyber teams known as cyber protection teams, did not
exist prior. Cyber, despite being around for over 20 years, is still a
relatively new discipline within the military for which the force,
capabilities, processes and authorities are still evolving. “We have for the
first time defined what a cyber protection team is. We know what the work roles
are. We know exactly what those teams’ mission are … [and] how to evaluate
them,” he said.
CyberScoop
January 10,
2020
The FBI has
told U.S. companies that Iranian hackers have stepped up their probing and
reconnaissance activity in the days since the U.S. military killed Iranian Maj.
Gen. Qassem Soleimani. In an advisory to industry this week obtained by
CyberScoop, the FBI warned that Iranian hackers could target cleared defense
contractors, government agencies, academia and nongovernmental organizations
focused on Iran issues. The FBI assesses that Iranian hackers could use “a
range of computer network operations against U.S.-based networks in retaliation
for last week’s strikes against Iranian military leadership,” says the memo,
which is labeled “TLP White,” meaning its recipients can distribute it
liberally. The Jan. 9 alert did not elaborate on the nature of the increased
Iranian “cyber reconnaissance activity” that the FBI says has occurred since
Soleimani’s killing, nor did it mention any Iranian breaches of networks as
part of that activity.
Ars
Technica
January 9,
2020
An Android
phone subsidized by the US government for low-income users comes preinstalled
with malware that can't be removed without making the device cease to work,
researchers reported on Thursday. The UMX U686CL is provided by Virgin Mobile's
Assurance Wireless program. Assurance Wireless is an offshoot of the Lifeline
Assistance program, a Federal Communications Commission’s plan that makes free
or government-subsidized phones service available to millions of low-income
families. The program is often referred to as the Obama Phone because it
expanded in 2008, when President Barack Obama took office. The UMX U686CL runs
Android and is available for $35 to qualifying users. Researchers at
Malwarebytes said on Thursday that the device comes with some nasty surprises.
Representatives of Sprint, the owner of Virgin Mobile, meanwhile said it didn't
believe the apps were malicious. The first is heavily obfuscated malware that
can install adware and other unwanted apps without the knowledge or permission
of the user. The second unpleasant surprise delivered by the UMX U686CL is
something called Wireless Update. While it provides a mechanism for downloading
and installing phone updates, it also loads a barrage of unwanted apps without
permission.
ZDNet
January 9,
2020
Officials
from the city of Las Vegas said they narrowly avoided a major security incident
that took place on Tuesday, January 7. According to a statement published by
the city on Wednesday, the compromise took place on Tuesday, at 4:30 am, in the
morning. The city said IT staff immediately detected the intrusion and took
steps to protect impacted systems. The city responded by taking several
services offline, including its public website, which is still down at the time
of writing. City officials have not disclosed any details about the nature of
the incident, but local press reported that it might have involved an email
delivery vector. In a subsequent statement published on Twitter on Wednesday,
the city confirmed it "resumed full operations with all data systems
functioning as normal."
WRC
January 9,
2020
Two members
of the D.C. Homeland Security Commission are questioning the District’s
decision to not release a cybersecurity report the members say they prepared
for the public. On Friday, a second member told the News4 I-Team the report was
completed in 2018, but the commission was immediately met with delays and
resistance from District leaders over its release. The news comes a day after
District leaders cited security concerns stemming from the recent conflict with
Iran as a reason to withhold the report, despite a city law that specifies annual
reports prepared by the Homeland Security Commission be made “available to the
public.” "The events of the last week, particularly with the heightened
cyberthreat from overseas, only reinforces the fact that that report right now
will not be made public," Chris Rodriguez, the director of D.C.’s Homeland
Security and Emergency Management Agency, said during a Thursday press
conference with Mayor Muriel Bowser.
Federal
News Network
January 8,
2020
The Air
Force has run three separate bug bounties to test the cybersecurity of its IT
systems so far. And while they’ve managed to find hundreds of vulnerabilities,
the service wants to take the approach much farther, including by inviting
hackers to probe for weaknesses in its parts supply chain and its satellites.
The “Hack the Air Force” competitions have, so far, focused on the service’s
public websites and its Cloud One environment. While they’ve led to myriad
security improvements, the approach has its limitations. For one, it’s only
finding vulnerabilities on systems that are already up and running. For
another, it’s not addressing the vast array of potential cyber
vulnerabilities in areas of the IT landscape the DoD acquisition process
doesn’t pay much attention to, like the embedded systems and subsystems deep in
the supply chain which eventually make their way into military equipment.
KXAN
January 8,
2020
State
investigators and the FBI are searching for who launched a cyberattack on the
Texas Department of Agriculture website, replacing the imagery with that of
dead Iranian General Qassem Soleimani. Soleimani was killed earlier this month
in a U.S. drone strike in Iraq and was the prominent military leader for the
Iranian government. The country promised retaliation. Overnight Monday, a
spokesman for the Department of Agriculture confirms its website was scrapped and
replaced with a black background, and white imagery of Soleimani. No personal
information was accessed, according to the spokesman — the only change was
superficial. The image showed a white image of the general on a black
background with “hacked by Iranian Hacker” underneath, with smaller Arabic
letters surrounding it. It is not clear how hackers were able to get access to
the website but text claimed the hack came from “Shield Iran.”
FCW
January 7,
2020
Network and
infrastructure operators need to be alert to growing cybersecurity risks in the
wake of the targeted killing of Iranian military leader Gen. Qassim Soleimani
in a drone strike last week. That's the message from the Cybersecurity and
Infrastructure Security Agency at the Department of Homeland Security in a Jan.
6 publication aimed at both government and private sector officials. U.S.
officials and cybersecurity experts are concerned that Iranian reprisals for
the killing of Soleimani could take the form of attacks on U.S. networks or
critical infrastructure. Hossein Salami, the head of the Revolutionary Guards
forces in Iran, threatened a "tough, strong, decisive and finishing"
revenge in a speech on Jan. 7. "We say again that we have strong
determination and take revenge and if they continue, we will set fire at the
place they like and they know where it is," Salami said in remarks
translated by Iran's Fars News Service. The CISA document points out that
tensions between U.S. and Iran "have the potential for retaliatory
aggression against the U.S. and its global interests."
Gov Info
Security
January 6,
2020
Hacktivists
have long used website defacements to bring attention to their causes. Breaking
into a website, or seizing its domain name and redirecting the domain, is rarely
a long-lasting attack, but it usually causes embarrassment, and, at a technical
level, highlights gaps in website security. Such attacks are so frequent that
most barely register attention. But one over the weekend stuck out: the website
for the U.S. Federal Depository Library Program, which featured a doctored
photo of President Donald Trump being punched in the face with an Iranian flag
in the background. The FDLP, which is designed to make federal documents
available to the public, is part of the Government Publishing Office.
The San
Francisco Chronicle
January 5,
2020
Rudy
Giuliani’s mixing of his business interests, closeness with President Trump and
involvement in government actions involving Ukraine is the subject of much
attention from Congress as the impeachment case against the president moves
toward the Senate. But a Chronicle investigation has found that Giuliani’s
blurring of White House and personal business didn’t start with Ukraine. It
began in the early days of the Trump administration, when Giuliani was named as
a White House adviser in an area where he had limited experience but was trying
to build a clientele: cybersecurity. His unpaid position with the new
administration was vague, because Trump never gave him an official title or
created a formal advisory committee for him to serve on or to chair. If Trump
had done so, federal ethics laws would have obliged Giuliani to reveal any
financial connections that might enable him to profit from his position.
Without an official government job — but with a publicized informal role — the
former U.S. attorney and two-term mayor of New York was able to present himself
to prospective clients as someone with a direct line to the president, without
any transparency for the public.
INDUSTRY
ZDNet
January 10,
2020
A team of
four Danish security researchers has disclosed this week a security flaw that
impacts cable modems that use Broadcom chips. The vulnerability, codenamed
Cable Haunt, is believed to impact an estimated 200 million cable modems in
Europe alone, the research team said today. The vulnerability impacts a
standard component of Broadcom chips called a spectrum analyzer. This is a
hardware and software component that protects the cable modem from signal
surges and disturbances coming via the coax cable. The component is often used
by internet service providers (ISPs) in debugging connection quality. On most
cable modems, access to this component is limited for connections from the
internal network. The research team says the Broadcom chip spectrum analyzer
lacks protection against DNS rebinding attacks, uses default credentials, and
also contains a programming error in its firmware. Researchers say that by
tricking users into accessing a malicious page via their browser, they can use
the browser to relay an exploit to the vulnerable component and execute
commands on the device.
CyberScoop
January 10,
2020
It’s been
more than two weeks since researchers went public with a critical vulnerability
in products made by corporate VPN service provider Citrix that could give a
hacker free rein over the many enterprise networks that use the software. Now,
with no sign of a complete patch for the vulnerability, cybersecurity experts
are exhorting organizations to address the issue. “It’s extremely important to
apply the mitigation steps and recognize that there is no patch for this,” said
Dave Kennedy, founder of cybersecurity company TrustedSec, adding that he has
already seen attackers scanning for vulnerable systems. “We have a working
exploit, and it took us under a day to develop it,” Kennedy told CyberScoop.
“Attackers have the same capabilities.” The flaw, discovered by cybersecurity
company Positive Technologies, is in a Citrix cloud-based application delivery
tool, as well as a product that allows remote access to the company’s
applications. Based on the popularity of the software tools, Positive
Technologies claimed that the vulnerability could affect tens of thousands of
companies.
Security
Boulevard
January 10,
2020
Armis, a
provider of a service through which organizations can discover devices
connected to their networks and assess the level of risk they represent, has
been acquired by Insight Partners for $1.1 billion in cash. Company CTO Nadir
Izrael said the funding will be used to both expand the global reach of the
service and drive the development of applications that will further analyze the
data Armis collects on behalf of customers. The Armis service is based on an
agentless architecture that employs algorithms to profile devices that are
connected to various customer networks. Once those devices are profiled, Izrael
said it becomes possible for Armis to instantly recognize whenever one of those
devices is connected to another network. In effect, Armis is crowdsourcing data
about different devices to enable IT organizations to track assets that are
becoming more diverse with each passing day, he said.
Security Week
January 9,
2020
Rockwell
Automation on Wednesday announced that it has entered an agreement to acquire
Israel-based cybersecurity solutions provider Avnet Data Security in an effort
to expand its cybersecurity expertise. Founded in 1995, Avnet provides a wide
range of services and solutions for IT and OT environments, including
penetration testing, assessments, training, and network and security products.
In terms of ICS and SCADA security, Avnet specializes in consultancy, training
and research. The company claims to have assisted major utilities and other
organizations secure their OT networks. Rockwell Automation says it has decided
to acquire Avnet because its extensive knowledge and experience will support
its objective to “achieve double digit growth in Information Solutions and
Connected Services by expanding our IT/OT cyber and network expertise
globally.”
Ars
Technica
January 8,
2020
In April of
2019, Pulse Secure issued an urgent patch to a vulnerability in its popular
corporate VPN software—a vulnerability that not only allowed remote attackers
to gain access without a username or password but also to turn off multi-factor
authentication and view logs, usernames, and passwords cached by the VPN server
in plain text. Now, a cybercriminal group is using that vulnerability to target
and infiltrate victims, steal data, and plant ransomware. Travelex, the foreign
currency exchange and travel insurance company, appears to be the latest victim
of the group. On New Year's Eve, the company was hit by Sodinokibi ransomware,
also known as REvil. The ransomware operators contacted the BBC and said they
want Travelex to pay $6m (£4.6m). They also claimed to have had access to
Travelex's network for six months and to have extracted five gigabytes of
customer data—including dates of birth, credit card information, and other
personally identifiable information. "In the case of payment, we will
delete and will not use that [data]base and restore them the entire
network," the individual claiming to be part of the Sodinokibi operation
told the BBC. "The deadline for doubling the payment is two days. Then
another seven days and the sale of the entire base." Security researcher
Kevin Beaumont found that Travelex had seven unpatched Pulse Secure servers. An
exploit for the vulnerability has been available on Internet bulletin boards
since August of 2019.
Wired
January 8,
2020
The social
video app TikTok has been branded a potential security threat for its ties to
China—the app is owned by the Beijing-based company ByteDance—but like any
piece of software it also has the potential for more immediate security
concerns. Recently patched vulnerabilities in the app could have allowed an
attacker to take over TikTok accounts, add or delete videos, and expose private
data like user information or videos marked "hidden." Researchers
from the security firm Check Point first disclosed the bugs to TikTok in late
November, and the company patched all of them on iOS and Android by the end of
December. The findings come, though, as Congress has held hearings and called
for investigations in recent months over the possibility that the app poses a
national security risk. And the US Army and Navy both banned the app from their
devices at the end of 2019, calling it a cyber threat. All software has bugs,
and a few vulnerabilities don't reveal that TikTok is at all malicious. But the
findings show that the social media app of the moment merits more scrutiny.
Ars
Technica
January 8,
2020
Mozilla has
released a new version of Firefox that fixes an actively exploited zero-day
that could allow attackers to take control of users' computers. In an advisory,
Mozilla rated the vulnerability critical and said it was "aware of
targeted attacks in the wild abusing this flaw." The US Cybersecurity and
Infrastructure Security Agency said one or more exploits were "detected in
the wild" and warned that attacks could be exploited to "take control
of an affected system." The Mozilla advisory credited researchers at
China-based Qihoo 360 with reporting the flaw. No other details about the
attacks were immediately available. Neither Mozilla nor Qihoo 360 responded to
emails asking for more information. CVE-2019-17026, as the vulnerability is
indexed, is a type confusion, a potentially critical error that can result in
data being written to, or read from, memory locations that are normally
off-limits. These out-of-bounds reads may allow attackers to discover memory
locations where malicious code is stored so that protections such as address
space layout randomization can be bypassed. Out-of-bounds reads can also cause
crashes.
Gov Info Security
January 7,
2020
Accenture
plans to buy the former Symantec Cyber Security Services business from Broadcom
for an undisclosed sum, the two companies announced Tuesday. The deal for the
Symantec services unit comes only five months after Broadcom paid $10.7 billion
for Symantec's entire enterprise security division. While the Accenture
Security unit will pick up the Symatec services business, Broadcom will retain
Symantec's security software division. The acquisition is expected to close in
March. About 300 Symantec services employees will then move over to Accenture
Security.
Bloomberg
January 6,
2020
Shares of
cybersecurity companies gained in the aftermath of last week’s killing of a top
Iranian military official as investors bet the increased risk of attacks will
result in more business. Crowdstrike Holdings Inc. rose as much as 11% on
Monday, adding to a 2.7% gain in Friday’s session. FireEye Inc. has advanced 5%
over two days. Companies that offer threat-detection services are the ones most
likely to benefit from increased risk of attacks compared with those offering
more traditional services like firewall defense, according to Mandeep Singh, a
Bloomberg Intelligence analyst. “It’s really the pure-play security companies
that do threat detection that are the ones that can be the direct beneficiary
of something like this,” he said in an interview. “These events are more of a
tailwind, it can drive up their services businesses.”
Gov Info Security
January 6,
2020
A lawsuit
against DCH Health System in the wake of a ransomware attack that disrupted
medical services for several days alleges that the Alabama-based organization
failed "to properly maintain and safeguard its computer systems and
data." The lawsuit, which seeks class action status, alleges DCH failed to
maintain "an adequate data security system to reduce the risk of data
breaches and cyberattacks." It also alleges that the organization did not
adequately protect patients' private Information, properly monitor its own data
security systems for existing intrusions and ensure the confidentiality and
integrity of electronic protected health information. "Because of the
ransomware attack, plaintiffs and class members had their medical care and
treatment as well as their daily lives disrupted," the lawsuit states.
"As a consequence of the ransomware locking down the medical records of
plaintiffs and class members, [those individuals] had to forego medical care
and treatment or had to seek alternative care and treatment."
INTERNATIONAL
Gov Info
Security
January 10,
2020
British
regulators have fined Dixons Carphone, a large electronics and phone retailer,
£500,000 ($653,000) for a breach that exposed millions of payment card details
and personal data due to point-of-sale malware. Dixons violated the U.K.'s Data
Protection Act 1988 "by having poor security arrangements and failing to
take adequate steps to protect personal data," according to the
Information Commissioner's Office. "This included vulnerabilities such as
inadequate software patching, absence of a local firewall, and lack of network
segregation and routine security testing," the ICO says. Dixons Carphone,
also known as DSG Retail, has stores in eight countries and Hong Kong and
manages such brands as PC World, Currys and Carphone Warehouse. This is the
second time in two years Dixons Carphone has been fined. In January 2018, the
ICO fined it £400,000 ($523,000) for a 2015 breach of its Carphone Warehouse
subsidiary after an attacker exploited an outdated WordPress installation
WIRED
January 9,
2020
In the wake
of the US assassination of Iranian general Qasem Soleimani and the retaliatory
missile strike that followed, Iran-watchers have warned that the country could
deploy cyberattacks as well, perhaps even targeting US critical infrastructure
like the electric grid. A new report lends some fresh details to the nature of
that threat: By all appearances, Iranian hackers don't currently have the capability
to start causing blackouts in the US. But they’ve been working to gain access
to American electric utilities, long before tensions between the two countries
came to a head. On Thursday morning, industrial control system security firm
Dragos detailed newly revealed hacking activity that it has tracked and
attributed to a group of state-sponsored hackers it calls Magnallium. The same
group is also known as APT33, Refined Kitten, or Elfin, and has previously been
linked to Iran. Dragos says it has observed Magnallium carrying out a broad
campaign of so-called password-spraying attacks, which guess a set of common
passwords for hundreds or even thousands of different accounts, targeting US
electric utilities as well as oil and gas firms.
ZDNet
January 9,
2020
Iranian
state-sponsored hackers have deployed a new strain of data-wiping malware on
the network of Bapco, Bahrain's national oil company, ZDNet has learned from
multiple sources. The incident took place on December 29. The attack did not
have the long-lasting effect hackers might have wanted, as only a portion of Bapco's
computer fleet was impacted, with the company continuing to operate after the
malware's detonation. ZDNet has learned from several sources that the Bapco
incident is the cyber-attack described in a security alert published last week
by Saudi Arabia's National Cybersecurity Authority. Saudi officials sent the
alert to local companies active on the energy market, in an attempt to warn of
impending attacks, and urging companies to secure their networks. The Bapco
security incident came to light amid rising political tensions between the US
and Iran after the US military killed a top Iranian military general in a drone
strike last week.
CyberScoop
January 9,
2020
Intrusion
Truth is back. The anonymous group known in the cybersecurity world for
publishing detailed blog posts about suspected nation-state hackers released new
information Thursday alleging that Chinese technology companies are recruiting
attackers working on Beijing’s behalf. By identifying job postings seeking
offensive cybersecurity skills, the group wrote, they found a number of
companies in Hainan, a province in South China, all using the same language in
their advertisements. Some of those companies have only a small web presence
outside the job ads seeking offensive-minded computer specialists, suggesting
to Intrusion Truth that employers actually are trying to recruit hackers for
advanced persistent threat groups. “We know that these companies are a front
for APT activity,” states the blog post published Thursday. This blog post is
the first from Intrusion Truth since July 2019, when the group reported that a
Chinese APT had offered to sell stolen data. Intrusion Truth emerged in April
2017 and, since then, intermittently has gone public with information
purportedly exposing Chinese state-sponsored hacking efforts.
Gov Info
Security
January 9,
2020
Nearly
16,000 malware-infected MicroTik routers have been scrubbed of Coinhive
cryptojacking code thanks to an international police operation. The
international law enforcement agency Interpol says it launched Operation
Goldfish Alpha in June 2019 to target 20,000 hacked routers in Southeast Asia
that were being used to mine for cryptocurrency, as well as to raise awareness
in the region of the threat posed by cryptojacking. By the end of November
2019, Interpol reports, that the number of infected devices had been reduced by
78 percent. Tokyo-based security firm Trend Micro, which assisted with the
operation, says the 20,000 routers had all been built by Latvian manufacturer
MikroTik and later infected with Coinhive, a small piece of JavaScript designed
to mine for monero.
CyberScoop
January 8,
2020
U.S.
military forces are not pulling out of Kuwait. The Kuwaiti government clarified
that fact on Wednesday after KUNA, the state news agency, reported that a
defense minister said Americans planned an “imminent withdrawal” within three
days. In fact, KUNA had been hacked, and word of the withdrawal had been posted
by an outsider, according to Tareq al-Muzraem, head of Kuwait’s government
communication office. KUNA deleted the original claim from its Twitter page,
and posted a series of updates on its website and to its more than 34,000
followers on Twitter. Reuters, a global news and wire service, was one credible
news outlet to publish a brief article based on the false KUNA report.
Ars
Technica
January 7,
2020
Iran has
over the past decade built up its own organic hacking and cyberwarfare
capabilities. But the groups associated with orchestrating Iran's various
cyberwarfare and cyber-espionage activities have also relied significantly on
mining the work of others—and in at least one case, they have tried to bring in
outside help for the ostensible purpose of training would-be hackers. According
to Chris Kubecka—a security researcher who played a prominent role in Saudi
Aramco's response to the Iran-attributed Shamoon "wiper"
malware—officials with the Telecommunication Company of Iran emailed and
messaged her on behalf of the Iranian government, attempting "to recruit
me to teach hacking in country against critical Infrastructure with focus on
nuclear facilities," she told Ars. These efforts, which Kubecka alluded to
briefly in a presentation at AppSec California in 2018, spanned over 2.5 years—during
which Kubecka informed the FBI. "I was collecting evidence and
communicating with them directly until last January when the FBI stepped
in," she said. "The last contact we had, the Iranians wanted my home
address to send me 'a gift'."
TECHNOLOGY
ZDNet
January 7,
2020
Around half
of the websites that use WebAssembly, a new web technology, use it for
malicious purposes, according to academic research published last year.
WebAssembly is a low-level bytecode language that was created after a joint
collaboration between all major browser vendors. It introduces a new binary
file format for transmitting code from a web server to a browser. Once it
reaches the browser, WebAssembly code (Wasm) executes with near-native speed,
similar to compiled C, C++, or Rust code. WebAssembly was created for both
speed and performance. Due to its binary machine-friendly format, Wasm code is
smaller than its equivalent JavaScript form, but also many times faster when
executing. This has made WebAssembly the next incarnation of Adobe Flash,
allowing websites to run complex CPU-intensive code without freezing a browser,
a task for which JavaScript was never designed or optimized for.
Ars
Technica
January 7,
2020
Three years
ago, Ars declared the SHA1 cryptographic hash algorithm officially dead after
researchers performed the world’s first known instance of a fatal exploit known
as a "collision" on it. On Tuesday, the dead SHA1 horse got clobbered
again as a different team of researchers unveiled a new attack that’s
significantly more powerful. The new collision gives attackers more options and
flexibility than were available with the previous technique. It makes it
practical to create PGP encryption keys that, when digitally signed using SHA1
algorithm, impersonate a chosen target. More generally, it produces the same
hash for two or more attacker-chosen inputs by appending data to each of them.
The attack unveiled on Tuesday also costs as little as $45,000 to carry out.
The attack disclosed in 2017, by contrast, didn’t allow forgeries on specific
predetermined document prefixes and was evaluated to cost from $110,000 to
$560,000 on Amazon’s Web Services platform, depending on how quickly
adversaries wanted to carry it out.