Friday, January 17, 2020

Pentagon gets ‘big win’ on cyber forces



“Where other men blindly follow the truth, Remember, nothing is true.
Where other men are limited by morality or law, Remember, everything is permitted.
We work in the dark to serve the light.
We are assassins.”
Assassins Creed  

Google says goodbye to the cookie monster, increasing user privacy

The search giant is planning to "render obsolete" a key tool advertisers use to track people around the web, stopping to support third-party cookies in its Chrome browser.


FCW
January 9, 2020
Representatives from three of the largest U.S. voting system manufacturers expressed openness to new federal regulations to bolster confidence about the security of their products. Whether any of them will come to fruition and what effect they would have is less clear. The three companies, Election Systems and Software, Dominion Voting Systems and Hart InterCivic, have a history of resisting outside scrutiny of their products. Under a battery of questioning from lawmakers at a Jan. 9 House Administration Committee hearing, they said they would support a range of new regulatory and reporting requirements for their companies and the election industry as a whole. Those potential requirements include a congressional mandate that states purchase voting machines with paper records and conduct post-election audits for every vote cast, new public reporting on security risks associated with their equipment and new federally crafted guidelines for how to best set up their supply chains. "I think we would support any requirements that [apply] to all vendors in our industry that would help educate users of our system and anyone who interacts with them," said Tom Burt, CEO of ES&S.

Federal News Network
January 9, 2020
The Cyberspace Solarium Commission — a panel consisting of lawmakers from both sides of the aisle, senior agency executives and private sector leaders — plans to release its first report, along with a set of 75 recommendations, sometime within the next few months. Those recommendations will revolve around a central theme of getting government to react more quickly and decisively in response to cyber attacks, in a new take on the decades-old concept of security through deterrence. “The fundamental thing we’ve been grappling with is that, unlike nuclear weapons, for example, you don’t need necessarily access to nation-state resources to have access to very powerful cyber weapons,” Rep. Mike Gallagher (R-Wis.), co-chair of the congressionally established Cyberspace Solarium, said Tuesday at the Council on Foreign Relations in Washington. “In other words, you don’t need to be a great power to have a great impact in cyber. And deterrence is hard enough when it comes to dealing with nation state actors, where the decision makers are known but yet still unpredictable. It becomes even more difficult when you’re dealing with non-state actors who may not be known and whose identities are obscure or nation states that intentionally try to obscure their activities in cyberspace.” That’s why the commission is looking at a strategy built around deterrence through punishment. In other words, retaliation for cyber attacks should be swift, decisive, consistent and public. The idea is that clear, consistent consequences will make adversaries less likely to instigate attacks.

Gov Info Security
January 9, 2020
Two Democratic Congressmen have sent letters to nine federal financial regulatory agencies asking that take action to shore up cyber defenses in the sector because of looming security threats from Iran. The move comes in the wake of a U.S. drone attack last week that killed Iranian Major General Qasem Soleimani and Iran's retaliatory missile strikes this week against bases in Iraq housing American troops. In their letter sent this week, Democratic representatives Emanuel Cleaver II, D-Mo., and Gregory Meeks, D-N.Y., who both sit on the House Financial Services Committee, wrote that there is an impending threat to the financial services infrastructure, not only in the U.S. but across the globe. They urged the regulatory agencies to strengthen the cyber protections that guard against disruption in financial markets.

Nextgov
January 9, 2020
A half-dozen lawmakers asked the Federal Communications Commission to require wireless carriers to better protect consumers from new forms of phone hijacking. In a letter authored by Sen. Ron Wyden, D-Ore., and signed by five House and Senate members, lawmakers pressed FCC Chairman Ajit Pai to use the regulatory agency’s authority over wireless carriers to respond to a growing number “SIM swap scams.” In these scams, fraudsters convince wireless carriers to transfer mobile accounts over to them, where they can hijack login credentials and commit other crimes, such as emptying victims’ bank accounts. Increasingly, scammers are using these attacks to bypass two-factor authentication that relies on text messages. Once scammers take ownership of a mobile account, texts and calls intended for the victim go to scammers instead. “Consumers have limited options to protect their wireless accounts from SIM swaps and are often not informed about these options by carriers until after they have been victimized,” the lawmakers write. “Consumers have no choice but to rely on phone companies to protect them against SIM swaps—and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers.”

The Hill
January 8, 2020
The House on Wednesday passed a slew of bills aimed at giving the U.S. a leg up over China in the race to implement the super-fast next-generation wireless networks known as 5G. The trio of bipartisan bills, which passed the House near-unanimously, would funnel U.S. government resources into steering international wireless policy while securing the burgeoning networks against cyberattacks and foreign influence. The legislation comes as the U.S. works to win the "race to 5G," which will enable a generation of Internet-connected devices and offer mobile data speeds up to 100 times what is currently possible. Congress and the Trump administration have been working to diminish the power of Chinese telecommunications companies currently dominating the 5G industry while pouring more money into efforts to build out the networks in the U.S. “All three of these bills are important for securing America’s wireless future, and we hope they won’t languish in the Senate," Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-N.J.) and communications subcommittee Chairman Mike Doyle (D-Pa.) said in a statement. The House on Wednesday also passed a resolution calling on the U.S. to follow a set of international cybersecurity standards as it develops 5G capabilities.


ADMINISTRATION

FCW
January 10, 2020
It's a new year -- and a new cybersecurity regime for vendors working on defense contracts is coming. The Defense Department has been steadily working on its new unified standard, the Cybersecurity Maturity Model Certification (CMMC), and is expected to release a final version and a list of accrediting bodies in January. But while companies shouldn't wait until things are finalized to prep for certification, many are stuck. "CMMC is going to be law of the land," Corbin Evans, the director of regulatory policy for the National Defense Industrial Association, told FCW, yet "folks are a little hesitant to make any major moves." Evans said a proposed rule to amend the Defense Federal Acquisition Regulation is expected this summer to solidify language and regulatory authority to include CMMC to contracts and that it's possible "they may try and stretch and amend the FAR itself." DOD recently announced that Ty Schieber, the senior director for executive education at the University of Virginia’s Darden School Foundation, will head a 13-member governing body for the organization charged with certifying auditors.

Fifth Domain
January 10, 2020
From 2013 to mid-2018, U.S. Cyber Command built its cyber mission force — the 133-team, roughly 6,200-person cadre of personnel that conduct cyber operations. Following the build out of those teams, Cyber Command asserted that the focus would shift to readiness, or maintaining the teams and ensuring they remained fully capable of performing missions. Now the Department of Defense has taken a critical step with its cyber teams by establishing metrics that define work roles and readiness, a top official said Jan. 9. “We now have a signed document from the secretary that defines what a cyber operating force is,” Maj. Gen. Dennis Crall, deputy principal cyber adviser and senior military adviser for cyber policy, said at an AFCEA hosted lunch. And these metrics are “big wins,” Crall said. Crall said that — unlike in the air, ground and maritime space — processes for defining and understanding readiness and concrete work roles, especially for defensive cyber teams known as cyber protection teams, did not exist prior. Cyber, despite being around for over 20 years, is still a relatively new discipline within the military for which the force, capabilities, processes and authorities are still evolving. “We have for the first time defined what a cyber protection team is. We know what the work roles are. We know exactly what those teams’ mission are … [and] how to evaluate them,” he said.

CyberScoop
January 10, 2020
The FBI has told U.S. companies that Iranian hackers have stepped up their probing and reconnaissance activity in the days since the U.S. military killed Iranian Maj. Gen. Qassem Soleimani. In an advisory to industry this week obtained by CyberScoop, the FBI warned that Iranian hackers could target cleared defense contractors, government agencies, academia and nongovernmental organizations focused on Iran issues. The FBI assesses that Iranian hackers could use “a range of computer network operations against U.S.-based networks in retaliation for last week’s strikes against Iranian military leadership,” says the memo, which is labeled “TLP White,” meaning its recipients can distribute it liberally. The Jan. 9 alert did not elaborate on the nature of the increased Iranian “cyber reconnaissance activity” that the FBI says has occurred since Soleimani’s killing, nor did it mention any Iranian breaches of networks as part of that activity.

Ars Technica
January 9, 2020
An Android phone subsidized by the US government for low-income users comes preinstalled with malware that can't be removed without making the device cease to work, researchers reported on Thursday. The UMX U686CL is provided by Virgin Mobile's Assurance Wireless program. Assurance Wireless is an offshoot of the Lifeline Assistance program, a Federal Communications Commission’s plan that makes free or government-subsidized phones service available to millions of low-income families. The program is often referred to as the Obama Phone because it expanded in 2008, when President Barack Obama took office. The UMX U686CL runs Android and is available for $35 to qualifying users. Researchers at Malwarebytes said on Thursday that the device comes with some nasty surprises. Representatives of Sprint, the owner of Virgin Mobile, meanwhile said it didn't believe the apps were malicious. The first is heavily obfuscated malware that can install adware and other unwanted apps without the knowledge or permission of the user. The second unpleasant surprise delivered by the UMX U686CL is something called Wireless Update. While it provides a mechanism for downloading and installing phone updates, it also loads a barrage of unwanted apps without permission.

ZDNet
January 9, 2020
Officials from the city of Las Vegas said they narrowly avoided a major security incident that took place on Tuesday, January 7. According to a statement published by the city on Wednesday, the compromise took place on Tuesday, at 4:30 am, in the morning. The city said IT staff immediately detected the intrusion and took steps to protect impacted systems. The city responded by taking several services offline, including its public website, which is still down at the time of writing. City officials have not disclosed any details about the nature of the incident, but local press reported that it might have involved an email delivery vector. In a subsequent statement published on Twitter on Wednesday, the city confirmed it "resumed full operations with all data systems functioning as normal."

WRC
January 9, 2020
Two members of the D.C. Homeland Security Commission are questioning the District’s decision to not release a cybersecurity report the members say they prepared for the public. On Friday, a second member told the News4 I-Team the report was completed in 2018, but the commission was immediately met with delays and resistance from District leaders over its release. The news comes a day after District leaders cited security concerns stemming from the recent conflict with Iran as a reason to withhold the report, despite a city law that specifies annual reports prepared by the Homeland Security Commission be made “available to the public.” "The events of the last week, particularly with the heightened cyberthreat from overseas, only reinforces the fact that that report right now will not be made public," Chris Rodriguez, the director of D.C.’s Homeland Security and Emergency Management Agency, said during a Thursday press conference with Mayor Muriel Bowser.

Federal News Network
January 8, 2020
The Air Force has run three separate bug bounties to test the cybersecurity of its IT systems so far. And while they’ve managed to find hundreds of vulnerabilities, the service wants to take the approach much farther, including by inviting hackers to probe for weaknesses in its parts supply chain and its satellites. The “Hack the Air Force” competitions have, so far, focused on the service’s public websites and its Cloud One environment. While they’ve led to myriad security improvements, the approach has its limitations. For one, it’s only finding vulnerabilities on systems that are already up and running. For another, it’s not addressing the vast array  of potential cyber vulnerabilities in areas of the IT landscape the DoD acquisition process doesn’t pay much attention to, like the embedded systems and subsystems deep in the supply chain which eventually make their way into military equipment.

KXAN
January 8, 2020
State investigators and the FBI are searching for who launched a cyberattack on the Texas Department of Agriculture website, replacing the imagery with that of dead Iranian General Qassem Soleimani. Soleimani was killed earlier this month in a U.S. drone strike in Iraq and was the prominent military leader for the Iranian government. The country promised retaliation. Overnight Monday, a spokesman for the Department of Agriculture confirms its website was scrapped and replaced with a black background, and white imagery of Soleimani. No personal information was accessed, according to the spokesman — the only change was superficial. The image showed a white image of the general on a black background with “hacked by Iranian Hacker” underneath, with smaller Arabic letters surrounding it. It is not clear how hackers were able to get access to the website but text claimed the hack came from “Shield Iran.”

FCW
January 7, 2020
Network and infrastructure operators need to be alert to growing cybersecurity risks in the wake of the targeted killing of Iranian military leader Gen. Qassim Soleimani in a drone strike last week. That's the message from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security in a Jan. 6 publication aimed at both government and private sector officials. U.S. officials and cybersecurity experts are concerned that Iranian reprisals for the killing of Soleimani could take the form of attacks on U.S. networks or critical infrastructure. Hossein Salami, the head of the Revolutionary Guards forces in Iran, threatened a "tough, strong, decisive and finishing" revenge in a speech on Jan. 7. "We say again that we have strong determination and take revenge and if they continue, we will set fire at the place they like and they know where it is," Salami said in remarks translated by Iran's Fars News Service. The CISA document points out that tensions between U.S. and Iran "have the potential for retaliatory aggression against the U.S. and its global interests."

Gov Info Security
January 6, 2020
Hacktivists have long used website defacements to bring attention to their causes. Breaking into a website, or seizing its domain name and redirecting the domain, is rarely a long-lasting attack, but it usually causes embarrassment, and, at a technical level, highlights gaps in website security. Such attacks are so frequent that most barely register attention. But one over the weekend stuck out: the website for the U.S. Federal Depository Library Program, which featured a doctored photo of President Donald Trump being punched in the face with an Iranian flag in the background. The FDLP, which is designed to make federal documents available to the public, is part of the Government Publishing Office.

The San Francisco Chronicle
January 5, 2020
Rudy Giuliani’s mixing of his business interests, closeness with President Trump and involvement in government actions involving Ukraine is the subject of much attention from Congress as the impeachment case against the president moves toward the Senate. But a Chronicle investigation has found that Giuliani’s blurring of White House and personal business didn’t start with Ukraine. It began in the early days of the Trump administration, when Giuliani was named as a White House adviser in an area where he had limited experience but was trying to build a clientele: cybersecurity. His unpaid position with the new administration was vague, because Trump never gave him an official title or created a formal advisory committee for him to serve on or to chair. If Trump had done so, federal ethics laws would have obliged Giuliani to reveal any financial connections that might enable him to profit from his position. Without an official government job — but with a publicized informal role — the former U.S. attorney and two-term mayor of New York was able to present himself to prospective clients as someone with a direct line to the president, without any transparency for the public.


INDUSTRY

ZDNet
January 10, 2020
A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips. The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today. The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality. On most cable modems, access to this component is limited for connections from the internal network. The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware. Researchers say that by tricking users into accessing a malicious page via their browser, they can use the browser to relay an exploit to the vulnerable component and execute commands on the device.

CyberScoop
January 10, 2020
It’s been more than two weeks since researchers went public with a critical vulnerability in products made by corporate VPN service provider Citrix that could give a hacker free rein over the many enterprise networks that use the software. Now, with no sign of a complete patch for the vulnerability, cybersecurity experts are exhorting organizations to address the issue. “It’s extremely important to apply the mitigation steps and recognize that there is no patch for this,” said Dave Kennedy, founder of cybersecurity company TrustedSec, adding that he has already seen attackers scanning for vulnerable systems. “We have a working exploit, and it took us under a day to develop it,” Kennedy told CyberScoop. “Attackers have the same capabilities.” The flaw, discovered by cybersecurity company Positive Technologies, is in a Citrix cloud-based application delivery tool, as well as a product that allows remote access to the company’s applications. Based on the popularity of the software tools, Positive Technologies claimed that the vulnerability could affect tens of thousands of companies.

Security Boulevard
January 10, 2020
Armis, a provider of a service through which organizations can discover devices connected to their networks and assess the level of risk they represent, has been acquired by Insight Partners for $1.1 billion in cash. Company CTO Nadir Izrael said the funding will be used to both expand the global reach of the service and drive the development of applications that will further analyze the data Armis collects on behalf of customers. The Armis service is based on an agentless architecture that employs algorithms to profile devices that are connected to various customer networks. Once those devices are profiled, Izrael said it becomes possible for Armis to instantly recognize whenever one of those devices is connected to another network. In effect, Armis is crowdsourcing data about different devices to enable IT organizations to track assets that are becoming more diverse with each passing day, he said.

Security Week
January 9, 2020
Rockwell Automation on Wednesday announced that it has entered an agreement to acquire Israel-based cybersecurity solutions provider Avnet Data Security in an effort to expand its cybersecurity expertise. Founded in 1995, Avnet provides a wide range of services and solutions for IT and OT environments, including penetration testing, assessments, training, and network and security products. In terms of ICS and SCADA security, Avnet specializes in consultancy, training and research. The company claims to have assisted major utilities and other organizations secure their OT networks. Rockwell Automation says it has decided to acquire Avnet because its extensive knowledge and experience will support its objective to “achieve double digit growth in Information Solutions and Connected Services by expanding our IT/OT cyber and network expertise globally.”

Ars Technica
January 8, 2020
In April of 2019, Pulse Secure issued an urgent patch to a vulnerability in its popular corporate VPN software—a vulnerability that not only allowed remote attackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. Now, a cybercriminal group is using that vulnerability to target and infiltrate victims, steal data, and plant ransomware. Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year's Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $6m (£4.6m). They also claimed to have had access to Travelex's network for six months and to have extracted five gigabytes of customer data—including dates of birth, credit card information, and other personally identifiable information. "In the case of payment, we will delete and will not use that [data]base and restore them the entire network," the individual claiming to be part of the Sodinokibi operation told the BBC. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base." Security researcher Kevin Beaumont found that Travelex had seven unpatched Pulse Secure servers. An exploit for the vulnerability has been available on Internet bulletin boards since August of 2019.

Wired
January 8, 2020
The social video app TikTok has been branded a potential security threat for its ties to China—the app is owned by the Beijing-based company ByteDance—but like any piece of software it also has the potential for more immediate security concerns. Recently patched vulnerabilities in the app could have allowed an attacker to take over TikTok accounts, add or delete videos, and expose private data like user information or videos marked "hidden." Researchers from the security firm Check Point first disclosed the bugs to TikTok in late November, and the company patched all of them on iOS and Android by the end of December. The findings come, though, as Congress has held hearings and called for investigations in recent months over the possibility that the app poses a national security risk. And the US Army and Navy both banned the app from their devices at the end of 2019, calling it a cyber threat. All software has bugs, and a few vulnerabilities don't reveal that TikTok is at all malicious. But the findings show that the social media app of the moment merits more scrutiny.

Ars Technica
January 8, 2020
Mozilla has released a new version of Firefox that fixes an actively exploited zero-day that could allow attackers to take control of users' computers. In an advisory, Mozilla rated the vulnerability critical and said it was "aware of targeted attacks in the wild abusing this flaw." The US Cybersecurity and Infrastructure Security Agency said one or more exploits were "detected in the wild" and warned that attacks could be exploited to "take control of an affected system." The Mozilla advisory credited researchers at China-based Qihoo 360 with reporting the flaw. No other details about the attacks were immediately available. Neither Mozilla nor Qihoo 360 responded to emails asking for more information. CVE-2019-17026, as the vulnerability is indexed, is a type confusion, a potentially critical error that can result in data being written to, or read from, memory locations that are normally off-limits. These out-of-bounds reads may allow attackers to discover memory locations where malicious code is stored so that protections such as address space layout randomization can be bypassed. Out-of-bounds reads can also cause crashes.

Gov Info Security
January 7, 2020
Accenture plans to buy the former Symantec Cyber Security Services business from Broadcom for an undisclosed sum, the two companies announced Tuesday. The deal for the Symantec services unit comes only five months after Broadcom paid $10.7 billion for Symantec's entire enterprise security division. While the Accenture Security unit will pick up the Symatec services business, Broadcom will retain Symantec's security software division. The acquisition is expected to close in March. About 300 Symantec services employees will then move over to Accenture Security.

Bloomberg
January 6, 2020
Shares of cybersecurity companies gained in the aftermath of last week’s killing of a top Iranian military official as investors bet the increased risk of attacks will result in more business. Crowdstrike Holdings Inc. rose as much as 11% on Monday, adding to a 2.7% gain in Friday’s session. FireEye Inc. has advanced 5% over two days. Companies that offer threat-detection services are the ones most likely to benefit from increased risk of attacks compared with those offering more traditional services like firewall defense, according to Mandeep Singh, a Bloomberg Intelligence analyst. “It’s really the pure-play security companies that do threat detection that are the ones that can be the direct beneficiary of something like this,” he said in an interview. “These events are more of a tailwind, it can drive up their services businesses.”

Gov Info Security
January 6, 2020
A lawsuit against DCH Health System in the wake of a ransomware attack that disrupted medical services for several days alleges that the Alabama-based organization failed "to properly maintain and safeguard its computer systems and data." The lawsuit, which seeks class action status, alleges DCH failed to maintain "an adequate data security system to reduce the risk of data breaches and cyberattacks." It also alleges that the organization did not adequately protect patients' private Information, properly monitor its own data security systems for existing intrusions and ensure the confidentiality and integrity of electronic protected health information. "Because of the ransomware attack, plaintiffs and class members had their medical care and treatment as well as their daily lives disrupted," the lawsuit states. "As a consequence of the ransomware locking down the medical records of plaintiffs and class members, [those individuals] had to forego medical care and treatment or had to seek alternative care and treatment."


INTERNATIONAL

Gov Info Security
January 10, 2020
British regulators have fined Dixons Carphone, a large electronics and phone retailer, £500,000 ($653,000) for a breach that exposed millions of payment card details and personal data due to point-of-sale malware. Dixons violated the U.K.'s Data Protection Act 1988 "by having poor security arrangements and failing to take adequate steps to protect personal data," according to the Information Commissioner's Office. "This included vulnerabilities such as inadequate software patching, absence of a local firewall, and lack of network segregation and routine security testing," the ICO says. Dixons Carphone, also known as DSG Retail, has stores in eight countries and Hong Kong and manages such brands as PC World, Currys and Carphone Warehouse. This is the second time in two years Dixons Carphone has been fined. In January 2018, the ICO fined it £400,000 ($523,000) for a 2015 breach of its Carphone Warehouse subsidiary after an attacker exploited an outdated WordPress installation

WIRED
January 9, 2020
In the wake of the US assassination of Iranian general Qasem Soleimani and the retaliatory missile strike that followed, Iran-watchers have warned that the country could deploy cyberattacks as well, perhaps even targeting US critical infrastructure like the electric grid. A new report lends some fresh details to the nature of that threat: By all appearances, Iranian hackers don't currently have the capability to start causing blackouts in the US. But they’ve been working to gain access to American electric utilities, long before tensions between the two countries came to a head. On Thursday morning, industrial control system security firm Dragos detailed newly revealed hacking activity that it has tracked and attributed to a group of state-sponsored hackers it calls Magnallium. The same group is also known as APT33, Refined Kitten, or Elfin, and has previously been linked to Iran. Dragos says it has observed Magnallium carrying out a broad campaign of so-called password-spraying attacks, which guess a set of common passwords for hundreds or even thousands of different accounts, targeting US electric utilities as well as oil and gas firms.

ZDNet
January 9, 2020
Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain's national oil company, ZDNet has learned from multiple sources. The incident took place on December 29. The attack did not have the long-lasting effect hackers might have wanted, as only a portion of Bapco's computer fleet was impacted, with the company continuing to operate after the malware's detonation. ZDNet has learned from several sources that the Bapco incident is the cyber-attack described in a security alert published last week by Saudi Arabia's National Cybersecurity Authority. Saudi officials sent the alert to local companies active on the energy market, in an attempt to warn of impending attacks, and urging companies to secure their networks. The Bapco security incident came to light amid rising political tensions between the US and Iran after the US military killed a top Iranian military general in a drone strike last week.

CyberScoop
January 9, 2020
Intrusion Truth is back. The anonymous group known in the cybersecurity world for publishing detailed blog posts about suspected nation-state hackers released new information Thursday alleging that Chinese technology companies are recruiting attackers working on Beijing’s behalf. By identifying job postings seeking offensive cybersecurity skills, the group wrote, they found a number of companies in Hainan, a province in South China, all using the same language in their advertisements. Some of those companies have only a small web presence outside the job ads seeking offensive-minded computer specialists, suggesting to Intrusion Truth that employers actually are trying to recruit hackers for advanced persistent threat groups. “We know that these companies are a front for APT activity,” states the blog post published Thursday. This blog post is the first from Intrusion Truth since July 2019, when the group reported that a Chinese APT had offered to sell stolen data. Intrusion Truth emerged in April 2017 and, since then, intermittently has gone public with information purportedly exposing Chinese state-sponsored hacking efforts.

Gov Info Security
January 9, 2020
Nearly 16,000 malware-infected MicroTik routers have been scrubbed of Coinhive cryptojacking code thanks to an international police operation. The international law enforcement agency Interpol says it launched Operation Goldfish Alpha in June 2019 to target 20,000 hacked routers in Southeast Asia that were being used to mine for cryptocurrency, as well as to raise awareness in the region of the threat posed by cryptojacking. By the end of November 2019, Interpol reports, that the number of infected devices had been reduced by 78 percent. Tokyo-based security firm Trend Micro, which assisted with the operation, says the 20,000 routers had all been built by Latvian manufacturer MikroTik and later infected with Coinhive, a small piece of JavaScript designed to mine for monero.

CyberScoop
January 8, 2020
U.S. military forces are not pulling out of Kuwait. The Kuwaiti government clarified that fact on Wednesday after KUNA, the state news agency, reported that a defense minister said Americans planned an “imminent withdrawal” within three days. In fact, KUNA had been hacked, and word of the withdrawal had been posted by an outsider, according to Tareq al-Muzraem, head of Kuwait’s government communication office. KUNA deleted the original claim from its Twitter page, and posted a series of updates on its website and to its more than 34,000 followers on Twitter. Reuters, a global news and wire service, was one credible news outlet to publish a brief article based on the false KUNA report.

Ars Technica
January 7, 2020
Iran has over the past decade built up its own organic hacking and cyberwarfare capabilities. But the groups associated with orchestrating Iran's various cyberwarfare and cyber-espionage activities have also relied significantly on mining the work of others—and in at least one case, they have tried to bring in outside help for the ostensible purpose of training would-be hackers. According to Chris Kubecka—a security researcher who played a prominent role in Saudi Aramco's response to the Iran-attributed Shamoon "wiper" malware—officials with the Telecommunication Company of Iran emailed and messaged her on behalf of the Iranian government, attempting "to recruit me to teach hacking in country against critical Infrastructure with focus on nuclear facilities," she told Ars. These efforts, which Kubecka alluded to briefly in a presentation at AppSec California in 2018, spanned over 2.5 years—during which Kubecka informed the FBI. "I was collecting evidence and communicating with them directly until last January when the FBI stepped in," she said. "The last contact we had, the Iranians wanted my home address to send me 'a gift'."


TECHNOLOGY

ZDNet
January 7, 2020
Around half of the websites that use WebAssembly, a new web technology, use it for malicious purposes, according to academic research published last year. WebAssembly is a low-level bytecode language that was created after a joint collaboration between all major browser vendors. It introduces a new binary file format for transmitting code from a web server to a browser. Once it reaches the browser, WebAssembly code (Wasm) executes with near-native speed, similar to compiled C, C++, or Rust code. WebAssembly was created for both speed and performance. Due to its binary machine-friendly format, Wasm code is smaller than its equivalent JavaScript form, but also many times faster when executing. This has made WebAssembly the next incarnation of Adobe Flash, allowing websites to run complex CPU-intensive code without freezing a browser, a task for which JavaScript was never designed or optimized for.

Ars Technica
January 7, 2020
Three years ago, Ars declared the SHA1 cryptographic hash algorithm officially dead after researchers performed the world’s first known instance of a fatal exploit known as a "collision" on it. On Tuesday, the dead SHA1 horse got clobbered again as a different team of researchers unveiled a new attack that’s significantly more powerful. The new collision gives attackers more options and flexibility than were available with the previous technique. It makes it practical to create PGP encryption keys that, when digitally signed using SHA1 algorithm, impersonate a chosen target. More generally, it produces the same hash for two or more attacker-chosen inputs by appending data to each of them. The attack unveiled on Tuesday also costs as little as $45,000 to carry out. The attack disclosed in 2017, by contrast, didn’t allow forgeries on specific predetermined document prefixes and was evaluated to cost from $110,000 to $560,000 on Amazon’s Web Services platform, depending on how quickly adversaries wanted to carry it out.