This posting is here to collect cyber security news in January 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
412 Comments
Tomi Engdahl says:
Hacktivist Gets 10-Year Prison Sentence for DDoS Attack on Hospitals
https://www.securityweek.com/hacktivist-gets-10-year-prison-sentence-ddos-attack-hospitals
A 34-year-old man from Somerville, Massachusetts, has been sentenced to 10 years in prison for launching distributed denial-of-service (DDoS) attacks against two healthcare organizations in the United States.
Tomi Engdahl says:
Facebook and Google Launch Asia-Pacific Bug Hunting Conference
https://www.securityweek.com/facebook-and-google-launch-asia-pacific-bug-hunting-conference
Facebook and Google have partnered to launch a new conference for the researchers interested on discovering and reporting vulnerabilities.
Tomi Engdahl says:
Google Secures Public DNS Queries With DNS-over-TLS
https://www.securityweek.com/google-secures-public-dns-queries-dns-over-tls
Tomi Engdahl says:
Hyatt Hotels Launches Public Bug Bounty Program
https://www.securityweek.com/hyatt-hotels-launches-public-bug-bounty-program
Hyatt Hotels Corporation on Wednesday announced the launch of a public bug bounty program that covers its websites and mobile applications.
Hyatt and its affiliates operate over 750 hotels in more than 55 countries. The Chicago-based hotel operator disclosed two payment card breaches in the past years: one in 2016, which impacted 250 properties worldwide, and one in 2017, which hit over 40 hotels in the Americas and Asia.
Following these data breaches, the company teamed up with bug bounty platform HackerOne for a private program. It has now decided to open its bug bounty program to the public.
Tomi Engdahl says:
Cisco Patches Serious DoS Flaws in Email Security Appliance
https://www.securityweek.com/cisco-patches-serious-dos-flaws-email-security-appliance
Tomi Engdahl says:
Reddit Locks Down Accounts Due to ‘Security Concern’
https://www.securityweek.com/reddit-locks-down-accounts-due-security-concern
Reddit this week decided to lock down some user accounts after detecting unusual activity on those accounts.
“A large group of accounts were locked down due to a security concern. By ‘security concern’, we mean unusual activity that did not correspond to the account’s normal behavior that may indicate unauthorized access,” one of the social network’s admins noted in a post on Wednesday.
Tomi Engdahl says:
Netanyahu Says Israel Ready to Thwart Election Cyber Meddling
https://www.securityweek.com/netanyahu-says-israel-ready-thwart-election-cyber-meddling
Israeli Prime Minister Benjamin Netanyahu said Wednesday that his country led the world in cyber defence, after a report that an unnamed nation planned to meddle in its upcoming general election.
“Israel is prepared to thwart a cyber intervention, we’re prepared for any scenario and there’s no country more prepared than we are,” he told reporters.
Tomi Engdahl says:
Financial Times:
Mondelez sues insurance company for refusing to pay out $100M claim for NotPetya damages, launching the first major legal battle over cyber attack cost recovery
http://t.co/qpBhJOUjf9
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
US Secret Service memo warns that card thieves are avoiding detection while carrying multiple counterfeit cards by relying on the Fuze smart card — Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying …
Secret Service: Theft Rings Turn to Fuze Cards
https://krebsonsecurity.com/2019/01/secret-service-theft-rings-turn-to-fuze-cards/
Street thieves who specialize in cashing out stolen credit and debit cards increasingly are hedging their chances of getting caught carrying multiple counterfeit cards by relying on Fuze Cards, a smartcard technology that allows users to store dozens of cards on a single device, the U.S. Secret Service warns.
Launched in May 2017, the Fuze Card is a data storage device that looks like a regular credit card but can hold account data for up to 30 credit cards. The Fuze Card displays no credit card number on either side, instead relying on a small display screen on the front that cardholders can use to change which stored card is to be used to complete a transaction.
After the user chooses the card data to be used, the card data is made available in the dynamic magnetic stripe on the back of the card or via the embedded smart chip. Fuze cards also can be used at ATMs to withdraw funds.
criminal investigations where Fuze Cards have been used by fraud rings.
theft rings are using Fuze Cards to avoid raising suspicions that may arise when shuffling through multiple counterfeit cards at the register.
But getting caught holding dozens of counterfeit or stolen cards is tough to explain to authorities.
Tomi Engdahl says:
Android Messages Can Now Detect and Block Spam
https://www.bleepingcomputer.com/news/google/android-messages-can-now-detect-and-block-spam/
Some Android users will start receiving notifications that Google’s Android Messages automated spam protection feature has been enabled on their devices to protect against spam messages as confirmed by Google.
Android Messages users who will receive the opt-out spam detection feature update will also be able to block and report spam messages:
Tomi Engdahl says:
Chromecast Hacker Calls it Quits After Hearing FBI Is Looking Into Him
https://www.bleepingcomputer.com/news/security/chromecast-hacker-calls-it-quits-after-hearing-fbi-is-looking-into-him/
Tomi Engdahl says:
MobSTSPY Info-Stealing Trojan Goes Global Via Google Play
https://threatpost.com/mobstspy-trojan-google-play/140534/
Across six apps, the spyware managed to spread to 196 different countries.
An Android spyware dubbed MobSTSPY has managed to ride trojanized apps to a widespread, global distribution, mainly via Google Play.
Tomi Engdahl says:
Detailed: How Russian government’s Fancy Bear UEFI rootkit sneaks onto Windows PCs
ESET sheds new light on ‘Lojax’ firmware infection
https://www.theregister.co.uk/2019/01/02/lojax_uefi_rootkit/
Dubbed Lojax, the software nasty embeds itself within the motherboard firmware of infected Windows PCs, allowing it to run as soon as the machine is powered up or reset, allowing it to ideally spy on the user and evade detection by the operating system or any antivirus tools. The firmware executes at the lowest levels, underneath OS kernels and apps, with full system access.
Tomi Engdahl says:
U.S. Senators Introduce Bi-Partisan Bill to Counter China Hacking Threat
https://www.securityweek.com/us-senators-introduce-bi-partisan-bill-counter-china-hacking-threat
As concern over the full cyber purpose of China and its state-sponsored hackers grows, two senators have introduced a bi-partisan bill aimed at protecting U.S. technology and economic supremacy.
Tomi Engdahl says:
Microsoft Patches Critical Flaws in Edge, Hyper-V, DHCP
https://www.securityweek.com/microsoft-patches-critical-flaws-edge-hyper-v-dhcp
Microsoft has fixed nearly 50 vulnerabilities with its Patch Tuesday updates for January 2019, including some critical flaws affecting Edge, Hyper-V and DHCP. None of the vulnerabilities patched this month appear to have been exploited, but one of them has been publicly disclosed.
Another critical flaw, CVE-2019-0547, allows an attacker to execute arbitrary code on a Windows DHCP client machine by sending it specially crafted DHCP responses.
Tomi Engdahl says:
Australia’s Early Warning Network Hacked
https://www.securityweek.com/australias-early-warning-network-hacked
A hacker managed to gain unauthorized access to Australia’s Early Warning Network (EWN) late last week, and used the service to send bogus messages to users.
The EWN is a service that Australia’s local governments use to send notifications about weather hazards, including damaging winds, thunderstorms, hail, heavy rain, and bushfire, as well as traffic warnings.
Tomi Engdahl says:
Sophos Acquires Cloud Security Firm Avid Secure
https://www.securityweek.com/sophos-acquires-cloud-security-firm-avid-secure
Tomi Engdahl says:
German, 20, Confesses to Massive Data Hack Spurred by ‘Annoyance’
https://www.securityweek.com/german-20-confesses-massive-data-hack-spurred-annoyance
German authorities on Tuesday said a 20-year-old hacker had confessed to stealing and leaking private data from hundreds of politicians, including Chancellor Angela Merkel, because he was “annoyed” by some of their public statements.
The young German, who is still studying and lives with his parents, was detained after police searched the family home in the western state of Hesse on Sunday.
The suspect was not remanded in custody however because he is fully cooperating and not deemed a flight risk, said Georg Ungefuk, a spokesman for the Frankfurt prosecution service’s internet crime office ZIT.
“The accused said he published the data because he had been annoyed by certain statements made by those affected,” Ungefuk told a press conference in Wiesbaden.
Tomi Engdahl says:
Government Incident Highlights Loophole in U.S. Breach Disclosure Regulations
https://www.securityweek.com/government-incident-highlights-loophole-us-breach-disclosure-regulations
The California Department of Insurance (CDI) fixed a vulnerability found on interactive.web.insurance.ca.gov on November 9, 2018 — the same day it was reported to the department by Indian firm Banbreach. The site had been hosting an Oracle reporting server that, according to Banbreach’s observations, had generated more than 24,450 reports in a 24-hour period.
Banbreach received an acknowledgement of its vulnerability report and a request for assurances that it would not misuse the data it had found. But Banbreach could not find, and has not found, any evidence of a public disclosure of the incident by the Department.
The Indian firm raised the matter with DataBreaches.net, which published its own observations yesterday. The post points out that “thousands — or even, perhaps, millions — of people” could have had personal data — including their social security number — exposed to anyone with internet access.
Tomi Engdahl says:
Adobe Patches ‘Important’ Flaws in Connect, Digital Editions
https://www.securityweek.com/adobe-patches-important-flaws-connect-digital-editions
Tomi Engdahl says:
Zerodium Offers $2 Million for iOS Hacks, $1 Million for Chat App Exploits
https://www.securityweek.com/zerodium-offers-2-million-ios-hacks-1-million-chat-app-exploits
Exploit acquisition firm Zerodium on Monday announced that it’s offering significantly higher payouts for many types of exploits, including up to $2 million for remote iOS jailbreaks and $1 million for vulnerabilities in popular chat applications.
Tomi Engdahl says:
Venäjä vakoilee Nato-sotilaita kuntoilusovellusten kautta – Belgia kieltää älypuhelimet Baltiassa työskenteleviltä
https://www.iltalehti.fi/ulkomaat/a/4a72338b-8944-4790-9bef-0ffe57abd4c2
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
The resumes of 202M+ Chinese users, with personal data including home addresses and mobile numbers, were exposed online on an unsecured MongoDB database server — Data appears to have originated from a data scraping app that collected resumes from Chinese job portals.
CVs containing sensitive info of over 202 million Chinese users left exposed online
https://www.zdnet.com/article/cvs-containing-sensitive-info-of-over-202-million-chinese-users-left-exposed-online/?mid=1
Data appears to have originated from a data scraping app that collected resumes from Chinese job portals.
A security researcher has stumbled over an unsecured MongoDB database server that contained highly detailed CVs for over 202 million Chinese users.
Who owned the database is still a mystery, said Bob Diachenko, Director of Cyber Risk Research at Hacken Proof, the one who found the server’s data left exposed online.
The MongoDB instance contained 854GB of data, with 202,730,434 records in total, most of which were CVs for Chinese users.
The resumes contained all the sensitive details you might expect to find on a CV
The info was a threat intelligence gold mine that was left open for the entire internet to find.
Tomi Engdahl says:
Vanessa Gera / Associated Press:
Poland has searched the Warsaw offices of Huawei and Orange, arrested a Chinese manager at Huawei and charged him with espionage on behalf of China — WARSAW, Poland (AP) — Poland’s Internal Security Agency has charged a Chinese manager at tech giant Huawei in Poland and one of its own former officers …
Poland: Huawei exec, Polish security expert spied for China
https://apnews.com/2d897492e2b042589f734592524d0fae
Tomi Engdahl says:
Issie Lapowsky / Wired:
Researchers develop tool that can predict where Twitter users live with 92.5% accuracy using GPS data from geotagged tweets posted prior to April 2015
Your Old Tweets Give Away More Location Data Than You Think
https://www.wired.com/story/twitter-location-data-gps-privacy/
Tomi Engdahl says:
Scooter startup Bird tried to silence a journalist. It did not go well.
https://techcrunch.com/2019/01/11/scooter-startup-bird-silence-journalist/?utm_source=tcfbpage&sr_share=facebook
Cory Doctorow doesn’t like censorship. He especially doesn’t like his own work being censored.
Doctorow revealed in a blog post on Friday that scooter startup Bird sent him a legal threat, accusing him of copyright infringement and that his blog post encourages “illegal conduct.”
Doctorow declined, published the legal threat and fired back with a rebuttal letter from the EFF accusing the scooter startup of making “baseless legal threats” in an attempt to “suppress coverage that it dislikes.”
scooters can be easily converted into a “personal scooter” by swapping out its innards with a plug-and-play converter kit.
The three-page rebuttal says Bird used incorrectly cited legal statutes to substantiate its demands for Boing Boing to pull down the blog post.
Bird should not send takedown notices to journalists using “meritless legal claims,” the letter said.
All too often, companies send legal threats and demands to try to silence work or findings that they find critical, often using misinterpreted, incorrect or vague legal statutes to get things pulled from the internet. Some companies have been more successful than others, despite an increase in awareness and bug bounties, and a general willingness to fix security issues before they inevitably become public.
Now Bird becomes the latest in a long list of companies that have threatened reporters or security researchers
That effort resulted in several companies — notably Dropbox and Tesla — to double down on their protection of security researchers by changing their vulnerability disclosure rules to promise that the companies will not seek to prosecute hackers acting in good-faith.
Tomi Engdahl says:
Another server security lapse at NASA exposed staff and project data
https://techcrunch.com/2019/01/11/security-lapse-nasa-project-data-exposed/?utm_source=tcfbpage&sr_share=facebook
Two months ago, NASA quietly fixed a buggy internal server that was leaking sensitive information about the agency’s staff and their work.
The leaking server was — ironically — a bug-reporting server, running the popular Jira bug triaging and tracking software
According to Jain’s writeup, some Jira instances can be misconfigured to allow “everyone” access without a password — including anyone on the internet — and not “everyone” within an organization, as some believe.
This was the case for NASA’s leaking server.
#BugBounty — Exposed JIRA server leaks NASA staff and project data!
https://medium.com/@logicbomb_1/bugbounty-nasa-internal-user-and-project-details-are-out-2f2e3580421b
One of the biggest concerns of any company is ensuring that internal information is kept confidential and only available to specific individuals within and outside of an organisation. In other words by providing security, integrity and availability of their data (among another aspects), companies can sustain competitive advantage regarding their development plans, findings, talent employment etc.
There are a couple of settings in Jira that, when not configured properly, may disclose information about the application and its users and it can provide unauthorized access to some internal data of the companies to any other user over the internet. This information may aid an attacker in gaining access to the application.
Tomi Engdahl says:
New reports find Amazon.com failed to inform customers that their smart home video would be reviewed by humans
Reports raise video privacy concerns for Amazon-owned Ring
https://techcrunch.com/2019/01/10/amazon-ring-privacy-concerns/?utm_source=tcfbpage&sr_share=facebook
Tomi Engdahl says:
Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable
https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/
Tomi Engdahl says:
The database was indexed in data search engines Binary Edge and Shodan, and was freely visible without a password or login
An unsecured database exposed the personal details of 202M job seekers in China
https://techcrunch.com/2019/01/11/202-million-job-seekers-personal-data-exposed/?sr_share=facebook&utm_source=tcfbpage
Tomi Engdahl says:
Daria Solovieva / Fast Company:
Microsoft has avoided the scrutiny over privacy issues that has ensnared rivals by working with regulators and advocating its own solutions
How Microsoft has (so far) avoided tough scrutiny over privacy issues
https://www.fastcompany.com/90290137/how-microsoft-has-avoided-tough-scrutiny-over-privacy-issues
The “original gangster of big tech” has managed to dodge the bad headlines and congressional grilling that have ensnared its rivals by working with regulators and advocating its own solutions.
Tomi Engdahl says:
Hacker who took down entire nation’s internet is jailed
https://amp.cnn.com/cnn/2019/01/12/uk/hacker-liberia-cyber-attack-jailed-gbr-intl/index.html
A British hacker whose cyberattacks took the nation of Liberia offline has been jailed for almost three years.
Daniel Kaye launched a series of attacks on Liberian cell phone operator Lonestar in October 2015, which became so powerful they knocked out the west African country’s internet the following year.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers: a hacking group made ~$3.7M in Bitcoin since Aug. with Ryuk ransomware, which only targets firms with huge resources and can lay dormant for a year — Ryuk lies in wait for as long as a year, then pounces on only the biggest prey. — A recently discovered ransomware group …
New ransomware rakes in $4 million by adopting a “big game hunting” strategy
https://arstechnica.com/information-technology/2019/01/new-ransomware-rakes-in-4-million-by-adopting-a-big-game-hunting-strategy/
Ryuk lies in wait for as long as a year, then pounces on only the biggest prey.
Tomi Engdahl says:
Lindsey O’Donnell / Threatpost:
Dozens of government websites rendered insecure or inaccessible due to 80+ expired TLS certificates that haven’t been renewed due to the US government shutdown
U.S. Government Shutdown Leaves Dozens of .Gov Websites Vulnerable
https://threatpost.com/u-s-government-shutdown-leaves-dozens-of-gov-websites-vulnerable/140782/
Tomi Engdahl says:
Rita Katz / Wired:
How ISIS is changing how it uses tech to recruit and coordinate, by moving to free public chat apps and services like RocketChat, Yahoo Together, Viber, Discord
A Growing Frontier for Terrorist Groups: Unsuspecting Chat Apps
https://www.wired.com/story/terrorist-groups-prey-on-unsuspecting-chat-apps/
Heads up, tech companies: If your product appeals to the masses, it likely also holds allure for terrorist groups like ISIS.
ISIS has effectively exploited the power of technology to fuel its rise around the globe, from streaming and file-sharing platforms to messenger applications and social media services. Many tech companies have responded in turn, strengthening their oversight and security measures. But while major platforms like Facebook, Twitter, YouTube, and Telegram are becoming increasingly inhospitable to ISIS, the group’s reach is growing on lesser-known messenger apps designed for businesses and gamers.
Tomi Engdahl says:
Huawei Fires Sales Manager Who Poland Charged With Spying
https://www.securityweek.com/huawei-fires-sales-manager-who-poland-charged-spying
The Chinese tech company Huawei on Saturday announced it has fired a sales director who was arrested in Poland and charged with spying for China, saying he has brought the firm’s reputation “into disrepute.”
The company said it has “decided to terminate the employment of Mr. Wang Weijing, who was arrested on suspicion of breaking Polish law.”
Tomi Engdahl says:
Rapid7 Releases Metasploit 5.0
https://www.securityweek.com/rapid7-releases-metasploit-50
Rapid7 on Friday announced the release of Metasploit 5.0. The latest major version of the popular penetration testing framework introduces several new important features, improved performance, and its developers say it should be easier to use.
According to Rapid7, Metasploit 5.0 brings significant changes in terms of database and automation APIs, improving the way the platform interacts with data and other tools. Metasploit has been using the PostgreSQL database system, but the latest version also allows users to run the database as a RESTful service, enabling interaction with Metasploit consoles and external tools.
Tomi Engdahl says:
Was North Korea Wrongly Accused of Ransomware Attacks?
https://www.securityweek.com/was-north-korea-wrongly-accused-ransomware-attacks
Ryuk Ransomware’s Attribution to North Korea Likely Incorrect, Multiple Security Firms Believe
The Ryuk ransomware that emerged in summer of 2018 is likely not the work of state-sponsored North Korean hackers, security researchers now say.
Tomi Engdahl says:
Juniper Networks Patches Over 60 Flaws in Junos, ATP Products
https://www.securityweek.com/juniper-networks-patches-over-60-flaws-junos-atp-products
Tomi Engdahl says:
Poland Charges Huawei Manager, Ex-spy With Spying for China
https://www.securityweek.com/poland-charges-huawei-manager-and-pole-spying-china
Poland has arrested a Chinese manager at tech giant Huawei in Poland and one of its own former counter-espionage officers and charged them with spying on Poland for China, state television and officials reported Friday.
The development comes as the U.S. is exerting pressure on its allies to block Huawei, the world’s biggest maker of telecommunications network equipment, over data security concerns.
Tomi Engdahl says:
Phishers Use Zero-Width Spaces to Bypass Office 365 Protections
https://www.securityweek.com/phishers-use-zero-width-spaces-bypass-office-365-protections
A recently addressed vulnerability in Office 365 allowed attackers to bypass existing phishing protections and deliver malicious messages to victims’ inboxes.
The issue, cloud security firm Avanan says, resided in the use of zero-width spaces (ZWSPs) in the middle of malicious URLs within the RAW HTML of the emails. This method breaks the URLs, thus preventing Microsoft’s systems from recognizing them and also preventing Safe Links from successfully protecting users.
What’s more, these zero-width spaces don’t render, meaning that the recipient would not notice the random special characters in the URL. The first wave of emails abusing this vulnerability was observed on November 10, and Microsoft addressed the issue on January 9, Avanan’s security researchers say.
Tomi Engdahl says:
For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching Too
https://theintercept.com/2019/01/10/amazon-ring-security-camera/
Tomi Engdahl says:
APT heist of Singapore health data exploited Microsoft Outlook, inquiry finds
https://www.cyberscoop.com/apt-heist-singapore-health-data-exploited-microsoft-outlook-inquiry-finds/
An advanced hacking operation that last year stole personal data on 1.5 million health care patients in Singapore, including the prime minister, targeted an unpatched version of Microsoft Outlook, an official inquiry has found.
The hackers exploited a known vulnerability in Outlook using “a publicly available hacking tool, which allowed the attacker to install malware on compromised workstations,” says a more than 400 page report published Thursday by a government-backed commission.
Tomi Engdahl says:
Malware found preinstalled on some Alcatel smartphones
https://www.zdnet.com/article/malware-found-preinstalled-on-some-alcatel-smartphones/
Malware was also available inside an official Alcatel app available through the Google Play Store.
Tomi Engdahl says:
Chinese group swindles $18.5 million from Indian arm of Italian company: Economic Times
https://www.reuters.com/article/us-mairetecnimont-india-fraud/chinese-group-swindles-18-5-million-from-indian-arm-of-italian-company-economic-times-idUSKCN1P40KE
MUMBAI (Reuters) – A group of Chinese hackers robbed 1.3 billion rupees ($18.45 million) from the Indian unit of Tecnimont SpA through an elaborate cyber fraud that included impersonating the Italian engineering firm’s chief executive, the Economic Times reported.
Tomi Engdahl says:
PHA Family Highlights: Zen and its cousins
January 11, 2019
https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html
Google Play Protect detects Potentially Harmful Applications (PHAs) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as “malware.” in a variety of ways, such as static analysis, dynamic analysis, and machine learning. While our systems are great at automatically detecting and protecting against PHAs, we believe the best security comes from the combination of automated scanning and skilled human review.
Tomi Engdahl says:
*taps on glass* Hellooo, IRS? Anyone in? Anyone guarding taxpayers’ data from crooks? Hellooo?
Could someone slide a note on identity-theft protection under the door? Helloooo?
https://www.theregister.co.uk/2019/01/12/senate_quizzes_irs/
With the partial US government shutdown showing no signs of letting up any time soon, senators are pressing treasury and tax officials on cybersecurity.
Of special concern to the Senator was prospect of taxpayer identity theft, a crime in which a crook uses stolen information, such as names and social security numbers, to file fake tax returns on behalf of a victim, pocketing the refunds in the process.
Stopping tax ID fraud has been a major priority for the IRS in recent months, but with employees either furloughed or facing the prospect of having to work sans paycheck, the committee is worried fraudsters and hackers will take advantage of reduced staffing levels to target IRS databases.
Tomi Engdahl says:
Exclusive: How a Russian firm helped catch an alleged NSA data thief
https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-cybersecurity-1089131
The U.S. has accused Kaspersky Lab of working with Russian spies. But sources say the company exposed a massive breach that U.S. authorities missed.
The 2016 arrest of a former National Security Agency contractor charged with a massive theft of classified data began with an unlikely source: a tip from a Russian cybersecurity firm that the U.S. government has called a threat to the country.
Moscow-based Kaspersky Lab turned Harold T. Martin III in to the NSA after receiving strange Twitter messages in 2016 from an account linked to him, according to two people with knowledge of the investigation.
The revelation also introduces an ironic turn in the negative narrative the U.S. government has woven about the Russian company in recent years.
Under both the Obama and Trump administrations, officials have accused the company of colluding with Russian intelligence to steal and expose classified NSA tools
“It’s irony piled on irony that people who worked at Kaspersky, who were already in the sights of the U.S. intelligence community, disclosed to them that they had this problem,” said Stewart Baker, general counsel for the NSA in the 1990s and a current partner at Steptoe and Johnson. It’s also discouraging, he noted, that the NSA apparently still hasn’t “figured out a good way to find unreliable employees who are mishandling some of their most sensitive stuff.”
“We all thought [Martin] got caught by renewed or heightened scrutiny, and instead it looks as though he got caught because he was an idiot,” he told POLITICO.
Tomi Engdahl says:
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
Tomi Engdahl says:
A Nasty Trick: From Credential Theft Malware to Business Disruption
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
FireEye is tracking a set of financially-motivated activity referred to as TEMP.MixMaster that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections. These operations have been active since at least December 2017, with a notable uptick in the latter half of 2018, and have proven to be highly successful at soliciting large ransom payments from victim organizations. In multiple incidents, rather than relying solely on built-in TrickBot capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable lateral movement within victim environments. Interactive deployment of ransomware, such as this, allows an attacker to perform valuable reconnaissance within the victim network and identify critical systems to maximize their disruption to business operations, ultimately increasing the likelihood an organization will pay the demanded ransom. These operations have reportedly netted about $3.7 million in current BTC value.