The Week that Was, 5.30.20

China set to impose national security legislation on Hong Kong.

China's parliament overwhelmingly approved a proposal to impose new national security legislation on Hong Kong, the Guardian reports. The move is widely seen as signaling the end of the one-country, two-systems policy under which Hong Kong maintained a degree of autonomy. According to the Chinese government news outlet Global Times, the law allows Beijing to fix "loopholes" that led to Hong Kong's alleged failure to address acts of "treason, secession, sedition, subversion against the central government." The Washington Post says the legislation is expected to pass, possibly as early as next week, and it will bypass Hong Kong's own legislative processes.

US Secretary of State Mike Pompeo announced on Wednesday that "After careful study of developments over the reporting period, I certified to Congress today that Hong Kong does not continue to warrant treatment under United States laws in the same manner as U.S. laws were applied to Hong Kong before July 1997. No reasonable person can assert today that Hong Kong maintains a high degree of autonomy from China, given facts on the ground....While the United States once hoped that free and prosperous Hong Kong would provide a model for authoritarian China, it is now clear that China is modeling Hong Kong after itself."

China's move is likely to incur further sanctions from the US, and Quartz notes that the US could potentially revoke Hong Kong's special trade status, although this is thought to be unlikely. Yahoo News quotes China's foreign ministry spokesman as saying, "If the US insists on hurting China's interests, China will have to take every necessary measure to counter and oppose this."

Industrial supply chain attacks.

Kaspersky ICS CERT describes an ongoing attack campaign targeting suppliers of industrial equipment and software. The affected organizations are located in Japan, Italy, Germany, and the UK. The attacker's motivation is unclear, but Kaspersky concludes that "[i]t is a matter of concern that attack victims include contractors of industrial enterprises."

The threat actor is using phishing emails with macro-laden Microsoft Office attachments, and the malware will only execute if the local operating system's language matches the language used in the phishing email. The infection chain involves extracting a steganographically concealed script from an image hosted on legitimate image hosting services, including Imgur. The goal of the malicious script is to install the password-stealing tool Mimikatz on the compromised machine.

Sandworm exploiting Exim vulnerability.

The US National Security Agency issued an alert on Thursday warning that Unit 74455 of Russia's GRU, also known as "Sandworm," has been targeting a vulnerability (CVE-2019-10149) in the Exim Mail Transfer Agent (MTA) since at least last August, CyberScoop reports. NSA says the threat actor has "used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA." A patch for the vulnerability was released last year, and NSA "adds its encouragement to immediately patch to mitigate against this still current threat."

Berserk Bear targets German industrial operations.

CyberScoop says German intelligence services have warned that the Russian threat actor Berserk Bear is targeting German industrial operations in the energy and water sectors. The authorities stated, "The attackers’ goal is to use publicly available but also specially written malware to permanently anchor themselves in the IT network…steal information or even gain access to productive systems."

Berserk Bear is thought to be tied to Russia's Federal Security Service (FSB). In 2018, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert stating that the group had been targeting IT networks and industrial control systems at US organizations in the energy, nuclear, water, and manufacturing sectors.

Impacts of COVID-19 on state-sponsored cyber operations.

The Canadian Centre for Cyber Security (CCCS) publicly released a bulletin outlining the Centre's view of COVID-19's effects on the cyber threat landscape. The Centre says foreign intelligence agencies are focused on collecting information that will help their governments respond to the pandemic, particularly obtaining "intellectual property and other sensitive data pertaining to COVID-19 medical research, but also to attain advanced warning of public health responses (e.g., travel restrictions) under consideration by foreign states." The Centre also believes these actors are interested in "information regarding the COVID-19 pandemic’s effect on military preparedness, particularly in areas with ongoing territorial disputes or geopolitical friction."

Interestingly, the CCCS states that, while state-sponsored threat actors have apparently temporarily decreased their operational tempo due to COVID-19-related shutdowns, cyberespionage operations can be expected to increase over the coming year, "particularly if more traditional avenues of intelligence collection continue to be significantly hampered by global travel restrictions and the sustained disruption of global commerce, international agencies, and academic institutions." Additionally, due to the global economic effects of the pandemic, the Centre says "state-sponsored cyber programs that were under significant economic pressure prior to the pandemic due to international sanctions will likely attempt to supplement dwindling state revenues through cybercrime."

The CCCS also describes risks related to COVID-19 contact-tracing technologies, stating that authoritarian governments will likely use the pandemic as an excuse to obtain foreign surveillance technology. The bulletin calls out NSO Group specifically, pointing out that the spyware company is currently testing its COVID-19-tracking mobile app in at least twelve countries. The Centre also expects to see disruptive influence campaigns exploiting the privacy concerns surrounding contact-tracing apps.

China-based botnet disrupted.

ZDNet reports that Chinese security firm Qihoo 360 assisted Baidu in disrupting a major botnet affecting hundreds of thousands of Chinese users. In a blog post last week, Qihoo explained that the botnet was traced to the DoubleGun Group (also known as ShuangQiang), a cybercriminal gang based in China. The malware is spread via pirated games, and its purpose is to infect users with additional malware and steal credentials. Baidu and Qihoo took down some of the gang's infrastructure, but they expect the disruption to be temporary.

New iOS jailbreak released.

A group of researchers this past Saturday released an iOS jailbreak, Unc0ver 5.0.0, that reportedly works on devices running the most recent version of iOS (13.5). Notably, the jailbreak is said to use a zero-day flaw in the kernel to achieve root access. ZDNet notes that most jailbreaks, particularly in recent years, have used known vulnerabilities that have already been patched.

Apple by default gives users limited control over the operating system, requiring them to install vetted apps through the official App Store. A jailbreak is a software tool that allows users to bypass those restrictions and gain root access on the device, usually by exploiting vulnerabilities in the operating system. This grants users access to parts of the system that are otherwise restricted and enables them to install apps from third-party sources, but it also generally opens the device up to serious security risks.

In this case, the researchers haven't disclosed the vulnerability they used, and the jailbreaking software isn't open-source. As a result, the jailbreak will probably remain effective until Apple itself discovers the vulnerability and issues a patch. Unc0ver's lead developer, who goes by "Pwn20wnd," estimates that this will take at least two to three weeks, according to Motherboard.

Interestingly, the researchers claim that the latest version of Unc0ver "preserves security layers designed to protect your personal information and your iOS device by adjusting them as necessary instead of removing them." AppleInsider and others stress that this claim hasn't been independently verified, and that for the vast majority of users the security risks and technical challenges associated with jailbreaking outweigh the benefits.

For more, see the CyberWire Pro Research Briefing.

Patch news.

Apple's iOS 13.5 and iPadOS 13.5 addressed two zero-click vulnerabilities affecting the Mail app, BleepingComputer reports. The vulnerabilities were publicly disclosed by ZecOps on April 20th. Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) released a statement urging users to install the updates, saying the vulnerabilities are "particularly critical."

Crime and punishment.

British Columbia's Supreme Court ruled on Wednesday that the charges against Huawei CFO Meng Wanzhou meet the double criminality requirement for extradition—that is, the charges would qualify as crimes in Canada as well as in the US. Ms. Meng's attorneys had argued that since the charges were related to US sanctions against Iran, the activity wouldn't have amounted to fraud if it had taken place in Canada. Associate Chief Justice Heather Holmes concluded that "the essence of the alleged wrongful conduct in this case is the making of intentionally false statements in the banker client relationship that put HSBC at risk. The US sanctions are part of the state of affairs necessary to explain how HSBC was at risk, but they are not themselves an intrinsic part of the conduct." Holmes also stated that "Ms. Meng's approach to the double criminality analysis would seriously limit Canada’s ability to fulfill its international obligations in the extradition context for fraud and other economic crimes."

The US on Thursday unsealed an indictment charging twenty-eight North Korean and five Chinese individuals for money laundering, fraud, and sanctions violations related to North Korea's nuclear weapons and missile program, the Washington Post reports. The indictment alleges that the individuals worked for North Korea's Foreign Trade Bank and helped funnel over $2.5 billion through more than 250 front companies around the world.

Courts and torts.

Forescout Technologies has filed a lawsuit in Delaware against private equity firm Advent International after Advent backed off from its planned $1.9 billion acquisition of Forescout, Law360 reports. Forescout said in its press release that "Advent’s purported excuse for its wrongful conduct is that a closing condition to the transaction has not been satisfied because a 'material adverse effect' has occurred at Forescout. Forescout believes that no material adverse effect has occurred, that all closing conditions are satisfied, and that Advent is obligated to close the transaction. Forescout believes that Advent has relied on meritless excuses to support its position."

Forbes quotes an Advent spokesperson as saying the firm decided to back out of the deal "after an extensive analysis that included information provided by Forescout, the company’s first quarter 2020 financial results and a detailed forecasting exercise to better understand future performance. Advent’s analysis, which was shared with Forescout, established that the company has experienced a material adverse effect on its business, financial condition and operational results. In addition, there has been a disproportionate effect on the company’s business relative to its direct peers, most of which have reported strong financial performance in the current environment."

The American Civil Liberties Union has filed a lawsuit against controversial facial recognition company Clearview AI, Naked Security reports. The case "seeks to remedy an extraordinary and unprecedented violation of Illinois residents’ privacy rights by Clearview."

The state of Arizona has sued Google over the company's data collection practices, according to Consumer Reports. The lawsuit claims that Google's location settings on Android are misleading and inadequate, stating that "such acts and practices pervade Google's seemingly relentless drive to collect as much user location information as possible and make it exceedingly hard for users to understand what is going on with their location information, let alone opt out of this morass." A Google spokesperson told Threatpost, "The Attorney General and the contingency-fee lawyers filing this lawsuit appear to have mischaracterized our services. We have always built privacy features into our products and provided robust controls for location data."

Deloitte Consulting is facing a class-action lawsuit over a data breach that potentially exposed personal data belonging to applicants for Pandemic Unemployment Assistance (PUA), according to 21-WFMJ. Deloitte had assisted in developing the system to administer the PUA program for the Ohio Department of Jobs and Family Services, and recently discovered a bug that allowed "about two dozen" users to view the names, Social Security numbers, and addresses of other applicants.

Policies, procurements, and agency equities.

The Guardian reports that the British government has apparently changed course on Huawei's involvement in the UK's 5G networks. Under pressure from Conservative MPs, Boris Johnson has directed officials to formulate a plan to remove all of the Chinese telecom's equipment from the country's 5G networks by 2023. The government had initially planned to allow Huawei to supply up to 35% of the networks' non-core components.

President Trump on Thursday signed an  Executive Order on Preventing Online Censorship, directing the Commerce Department to request that the Federal Communications Commission consider reinterpreting Section 230 of the Communications Decency Act, CNET reports. Section 230 generally protects internet companies from liability for what users post on their platforms. The order is seen as targeting social media sites, particularly Twitter, and it was announced after Twitter fact-checked two of the president's tweets concerning mail-in voting and voter fraud.

The US House of Representatives abandoned a proposal to reauthorize certain surveillance authorities under the Foreign Intelligence Surveillance Act (FISA), the Washington Post reports.

See the CyberWire Pro Policy Briefing for more.

Mergers and acquisitions.

San Jose, California-headquartered Cisco has announced that it will acquire San Francisco-based network intelligence company ThousandEyes. Bloomberg reports that Cisco will pay close to $1 billion for the company.

Apple has acquired Ontario, Canada-based machine-learning startup Inductiv for an undisclosed amount, according to Bloomberg. Apple confirmed the purchase and said it "buys smaller technology companies from time to time and we generally do not discuss our purpose or plans," but Bloomberg reports that Inductiv's engineering team will be working on Siri.

Investments and exits.

Oregon-based e-commerce fraud prevention company Vesta has secured $125 million in growth capital from Goldfinch Partners.

Silicon Valley-headquartered crowdsourced penetration testing platform provider Synack has raised $52 million in a Series D round co-led by B Capital Group and C5 Capital, with participation from existing investors GGV Capital, GV, Hewlett Packard Enterprise, Icon Ventures, Intel Capital, Kleiner Perkins, M12, and Singtel Innov8.

Berkeley, California-based SaaS web development framework provider Gatsby has raised $28 million in a Series B round led by Index Ventures, with participation from existing investors CRV and Trinity Ventures.

San Francisco-headquartered security assurance platform provider Tugboat Logic has raised $8 million in a funding round led by Inovia Capital, with participation from Westwave Capital and individual investors including Tom Noonan and Terry Dolce.

Mountain View, California-based data privacy API startup Skyflow emerged from stealth with a $7.5 million seed investment round led by Foundation Capital’s Ashu Garg, with participation from Jeff Immelt and Jonathan Bush.

San Francisco and New York-based data monitoring startup Toro has raised $4 million in a seed funding round led by Costanoa Ventures and Point72 Ventures, TechCrunch reports.

Singapore-based next-generation networking and wireless technology company Ray has received a ₹2 crore (approximately US$265,000) investment from India-based antivirus vendor Quick Heal Technologies, the Hindu Business Line reports.

And security innovation.

The US Department of Energy has appointed the University of Texas at San Antonio to lead the Cybersecurity Manufacturing Innovation Institute, Daily Energy Insider reports.

More business news, including executive news, can be found in the CyberWire Pro Business Briefing.

Comments are closed.