#cyberfraud | #cybercriminals | The Week that Was, 3.7.20

Source: National Cyber Security – Produced By Gregory Evans

Super Tuesday goes off (mostly) without a hitch.

Super Tuesday in the US proceeded without any evidence of hacking or significant disinformation, according to the Washington Post. A senior official at the Cybersecurity and Infrastructure Security Agency (CISA) told the press that US law enforcement and intelligence agencies didn’t see any noteworthy malicious activity, ABC News reports. There was a spate of robocalls in Texas that instructed Democrats to vote on Wednesday, but the CISA official noted that these types of calls are common on election days.

Some states did encounter technical glitches with voting machines and election websites. State-run polling location websites for Texas and Minnesota temporarily went down due to heavy traffic, Nextgov says. Los Angeles County in California experienced voting machine shutdowns that resulted in very long wait times, the Los Angeles Times reports. CISA said none of these issues were attributed to malicious activity.

General Paul Nakasone, director of US Cyber Command and NSA, told Congress on Wednesday that his “top priority is a safe and secure election that is free from foreign influence,” according to The Hill. General Nakasone said the government coordination during the 2018 midterms looked “like a pickup game” compared to what he saw this past Super Tuesday. He added that adversaries are still using social media platforms to conduct influence operations, but said “we are ready for them.”

Prior to Super Tuesday, the heads of eight US government agencies (DOS, DOJ, DOD, DHS, ODNI, FBI, NSA, and CISA) released a joint statement warning foreign adversaries not to interfere with US elections, saying “We continue to make it clear to foreign actors that any effort to undermine our democratic processes will be met with sharp consequences.”

Chinese security company calls out CIA for cyberespionage.

Chinese security firm Qihoo 360 published a report asserting that the US Central Intelligence Agency conducted an eleven-year espionage campaign against organizations in China and around the world. The content of the report isn’t new or surprising. For the most part, it lays out information that was already known from the Vault 7 files, although ZDNet points out that the targets of the alleged operation weren’t previously known.

Most observers believe the timing of the report is more significant than its contents. Qihoo 360 generally publishes useful and detailed reports on malware campaigns and APT activity, but Forbes and others see this particular report as the Chinese government’s response to the US Justice Department’s recent indictment of Chinese military hackers.

TA505 targets South Korea.

CyberScoop reports that the financially motivated threat group TA505 largely concentrated its efforts against South Korean organizations in 2019. According to researchers at South Korea’s Financial Security Institute, the group has been distributing the FlawedAmmyy Trojan via spearphishing emails tailored to South Korean recipients. The researchers say the threat actor has also been deploying the Clop and Locky ransomware strains. In one case, the group appeared to use the Rapid ransomware, which TA505 hasn’t been known to use in the past, although the researchers suspect the Rapid incident was “a one-time attack because it did not use valid digital signatures and custom packers commonly found in malwares distributed by the TA505 Threat Group.”

DoppelPaymer begins publishing stolen data.

Colorado-based manufacturing company Visser Precision disclosed to TechCrunch that it had sustained a cyberattack, which Brett Callow at Emsisoft concluded was a DoppelPaymer ransomware infection that was preceded by data theft. Visser’s customers include SpaceX, Tesla, Boeing, and Lockheed Martin, and the ransomware operators have apparently stolen files related to contracts with these companies. Some of the stolen files have been publicly posted to a website set up by DoppelPaymer’s operators. Callow told Forbes and other outlets that DoppelPaymer’s proprietors have been exfiltrating and selling data from their victims for some time now, but they’ve only just begun publishing those data as an extortionary tactic.

DoppelPaymer’s operators gave BleepingComputer the rundown on their preferred method for exfiltrating their victims’ data. As the crooks move laterally within a compromised network, they seek out cloud backup credentials. They then download these backups to their own servers, explaining that there’s “No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to ‘data breach detection software.’” After this, they delete the backups from the victim’s cloud service and begin encrypting the data on the victim’s servers.

Coronavirus phishbait and disinformation.

COVID-19 continues to be widely used as phishbait, the Wall Street Journal reports. Proofpoint and other security companies have observed a significant spike in coronavirus-themed phishing emails and scams since the end of January. Proofpoint’s senior director of threat research Sherrod DeGrippo told the Journal that the global nature of the subject lends itself well to widespread phishing campaigns, describing it as “social engineering at scale, based on a fear.”

Disinformation and misinformation are also coming into play. Lea Gabrielle, the coordinator of the US State Department’s Global Engagement Center, told Congress on Thursday that Russia had used “swarms of online, false personas” to spread disinformation about the coronavirus, the Washington Post reports. The Post also obtained a report from the Global Engagement Center that said the Center had identified around two million tweets pushing hoaxes and conspiracies about the virus between January 20th and February 10th, some of which displayed “evidence of inauthentic and coordinated activity.” Gabrielle didn’t mention this report in her testimony, and the report didn’t mention Russia, so it’s not clear if the activities are related.

Russian President Putin said on Wednesday that Russia itself was being targeted by a wave of fake news seeking to spread fear about the coronavirus, according to Reuters. Group-IB said on Monday that it had identified a voice message concerning a coronavirus outbreak in Moscow being widely shared by bots on the Russian social media service VK. The Russian cybersecurity firm states, “We strongly urge the general public to stay vigilant about unverified sources distributing such fake claims and follow the recommendations of the World Health Organization to prevent coronavirus infection.”

Let’s Encrypt revokes three million certificates.

Let’s Encrypt on Wednesday revoked three million certificates after it identified a bug in the way its code checked Certificate Authority Authorization (CAA) records, the Register reports. Naked Security explains that certificate-issuing organizations are required to check a domain’s CAA record every time they issue a new certificate for that domain, in order to prevent fraud. Some organizations have a different Let’s Encrypt certificate for each of their domains, and the company conveniently allows them to renew all of these domains at once. When this happened, however, instead of iterating through the list of domains and checking the CAA record of each one, Let’s Encrypt’s Go code would repeatedly check the record of just one of the domains in the list (Jacob Hoffman-Andrews from the EFF noted that this is a common mistake in Go programming). As a result, Let’s Encrypt had to revoke the certificates of every domain whose CAA record hadn’t been properly checked.

Let’s Encrypt has advice for affected customers here.

Patch news.

Cisco is developing patches to address the Kr00k vulnerability in Broadcom and Cypress chips, which can allow an unauthenticated attacker to intercept and decrypt certain Wi-Fi data frames, ZDNet reports. Multiple Cisco products use Broadcom chips, and Cisco notes that “There are no workarounds that address this vulnerability.”

Crime and punishment.

The US Department of Justice has indicted Charles K. Edwards, former Acting Inspector General for the US Department of Homeland Security, for allegedly “stealing confidential and proprietary software from DHS Office of Inspector General (OIG), along with sensitive government databases containing personal identifying information (PII) of DHS and USPS employees, so that Edwards’s company, Delta Business Solutions, could later sell an enhanced version of DHS-OIG’s software to the Office of Inspector General for the U.S. Department of Agriculture at a profit.” The Justice Department maintains that Edwards continued this scheme even after resigning from the DHS-OIG, with the help of a former subordinate, Murali Yamazula Venkata, who was also charged in the indictment. Edwards allegedly hired “software developers in India for the purpose of developing his commercial alternative of DHS-OIG’s software.”

Reuters reports that the Swiss government has filed a criminal complaint “against persons unknown” over reports that the Switzerland-headquartered encryption company Crypto AG was secretly owned by the US CIA and Germany’s BND. The Swiss attorney general’s office on Sunday said it “has received a criminal complaint by the State Secretariat for Economic Affairs (SECO) dated Feb. 2, 2020 regarding possible violations of export control law.”

Computing reports that London’s Metropolitan Police stopped and questioned five people after they were incorrectly identified by the police force’s facial recognition technology. The Register notes that according to a small sample of the Met’s own data, the force’s facial recognition software has an inaccuracy rate of 87.5%.

Huawei has pleaded not guilty to US charges of racketeering and fraud, according to Reuters.

Courts and torts.

Axios notes that the US Federal Communications Commission has disclosed the proposed size of the fines it plans to impose on the four major US wireless carriers over their sale of customer location data to third parties. T-Mobile faces a $91.6 million fine, AT&T is looking at $57.2 million, Verizon, $48.3 million, and Sprint, $12.2 million. The FCC stated that “The size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.” The Wall Street Journal says T-Mobile plans to challenge the FCC’s proposed fine.

Brussels Airlines is suing a Flemish man who fraudulently used an app designed for airline employees to obtain three tickets to New York, the Brussels Times reports. The man bought the tickets through the app, then cancelled the purchase and received a refund. He then manipulated the URLs of the tickets so that they were still valid. The airline is seeking the price of the tickets plus an extra €1,000 for the cost of securing their system. The man’s lawyer contests this extra charge, according to HLN, arguing that “my client told Brussels Airlines exactly where their weaknesses were, so they should be grateful for that.”

Policies, procurements, and agency equities.

US Senators Lindsey Graham (Republican of South Carolina), Richard Blumenthal (Democrat of Connecticut), Josh Hawley (Republican of Missouri), and Dianne Feinstein (Democrat of California) introduced the EARN IT Act on Thursday. The bill would set up a government commission that would define best practices for tech companies to fight child sex abuse material online. If companies refuse to comply with these best practices, they could lose immunity provided by Section 230 of the Communications Decency Act, which holds that, for the most part, tech companies can’t be held liable for content hosted on their platforms as long as the companies take appropriate action when they come across illegal content. According to Politico, the bill currently has the support of four Republicans and six Democrats in the Senate.

Most observers, including WIRED, see the EARN IT Act as the US Justice Department’s long-anticipated attempt to compel companies to build ways for law enforcement to gain access to encrypted communications. Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at the Stanford Center for Internet and Society, told the CyberWire that the Act is a “way of coming up with best practices that would tell providers, you would be risking your immunity under Section 230 if you did not adopt best practices that basically require walking away from privacy and security protective measures that those platforms have implemented, such as end-to-end encryption.” Pfefferkorn summarizes the ways in which the proposal that was introduced Thursday differs from an earlier draft of the bill, concluding that “It’s still a sprawling mess that would take a roomful of lawyers and policy wonks, with many different kinds of expertise, to issue-spot everything that’s weird or problematic with it.”

Members of the Cyberspace Solarium Commission (CSC) on Tuesday previewed some recommendations in their report due to be released next week. First, the CSC strongly advocates for the use of paper ballots due to the importance of trust in the voting process. Second, the CSC will recommend that a fifth member be added to the US Election Assistance Commission (EAC), who will focus solely on issues of election security. The EAC is currently made up of two Republicans and two Democrats, which often leads to gridlock. The CSC believes adding another member to address the non-partisan issue of election security can help get the wheels moving, at least in this area. A third recommendation is civic education, particularly around disinformation.

Germany’s BSI has instructed local government institutions not to pay the ransom if they suffer a ransomware attack, BleepingComputer reports.

Fortunes of commerce.

Maersk is laying off 150 employees from its command-and-control center in the UK, the Register reports. These employees were largely responsible for Maersk’s recovery from the NotPetya attack in 2017.

Labor markets.

The Cyber Security Agency of Singapore (CSA) will oversee a Cyber Talent initiative that will contact more than 20,000 people for potential talent-spotting for cybersecurity jobs, the Straits Times reports.

Mergers and acquisitions.

Xerox is moving forward with its attempted takeover of HP, the Wall Street Journal reports. The company is offering HP’s shareholders $24.00 per share. HP maintains that it’s open to a potential combination, but argues that Xerox’s offer is too low.

Professional services firm Accenture has purchased UK-based cyber defense consultancy Context Information Security from Babcock International Group for an undisclosed amount.

UK-based semiconductor maker Arm has sold its cybersecurity unit Trustonic to London-based private equity firm EMK Capital for an undisclosed amount, the Telegraph reports.

Northern Ireland-based network intelligence and security company Titan IC has been acquired by Sunnyvale, California-based Mellanox Technologies, a company that provides interconnect products for servers and storage. The Irish News notes that Mellanox itself is being acquired by Santa Clara, California-based Nvidia for $6.8 billion.

Thoma Bravo has completed its acquisition of British cybersecurity firm Sophos for $3.9 billion. The deal took Sophos private, and the company’s stock is no longer being traded on the London Stock Exchange.

Investments and exits.

Santa Clara, California-based network-level security company Ordr has received additional Series B funding from Mayo Clinic and Kaiser Permanente. The company didn’t disclose the exact amount of the new funding, but said it has “now raised approximately $50 million.”

Virginia-based software security company RunSafe Security has secured $3.5 million in a Series A funding round led by Lockheed Martin Ventures and NextGen Venture Partners.

Pleasanton, California-based smart security camera company Deep Sentinel has received investments from Nationwide and other undisclosed investors that have brought its Series A round up to $24 million, though the exact amount invested by Nationwide wasn’t disclosed, VentureBeat reports.

Source link

The post #cyberfraud | #cybercriminals | The Week that Was, 3.7.20 appeared first on National Cyber Security.

View full post on National Cyber Security

Print Friendly, PDF & Email