PLA tries to buy AV products. Chinese surveillance of Uyghurs. Panda Stealer vs. cryptowallets. Peleton’s API. VDP expanded.

Attacks, Threats, and Vulnerabilities

How China turned a prize-winning iPhone hack against the Uyghurs (MIT Technology Review) In March 2017, a group of hackers from China arrived in Vancouver with one goal: Find hidden weak spots inside the world’s most popular technologies.  Google’s Chrome browser, Microsoft’s Windows operating system, and Apple’s iPhones were all in the crosshairs. But no one was breaking the law. These were just some of the people taking…

Chinese military unit accused of cyber-espionage bought multiple western antivirus products (The Record by Recorded Future) A Chinese military unit that was accused last month by Japanese authorities of carrying out a years-long cyber-espionage campaign was seen buying batches of different western-made antivirus products.

China’s PLA Unit is Purchasing Foreign Antivirus Products (Recorded Future) A branch of the PLA has sought to purchase antivirus software from several major American, European, and Russian security companies.

Iran’s Military Reportedly Backs Ransomware Campaign (GovInfo Security) Iran’s Islamic Revolutionary Guard Corps was behind a ransomware campaign that used a contracting company called “Emen Net Pasargard” to target more than

Panda Stealer dropped in Excel files, spreads through Discord to steal user cryptocurrency (ZDNet) The malware hones in on cryptocurrency funds as well as VPN credentials.

U.S. Organizations Targeted by New Cybercrime Group With Sophisticated Malware (SecurityWeek) Organizations in the United States and other countries have been targeted by a new cybercrime group that uses sophisticated malware.

From URGENT/11 to Frag/44: Analysis of Critical Vulnerabilities in the Windows TCP/IP Stack (Armis) A new primitive to bypass firewalls using CVE-2021-24094, and provides a full analysis of this Windows TCP/IP stack vulnerability patched in February 2021.

Android users’ privacy at risk as Check Point Research identifies vulnerability on Qualcomm’s mobile station modems (Check Point Software) Check Point Research (CPR) found a security vulnerability in Qualcomm’s mobile station modem (MSM), the chip responsible for cellular communication in

File-Sharing Services Continue to Be Ripe for Impersonation (Avanan) Attackers continue to use file-sharing services, in this case Doc Express, to launch impersonation attacks.

How malicious Office files and abused Windows privileges enable ransomware (CSO Online) Ransomware groups most often gain entry to Windows networks through malicious Office documents and then move laterally by abusing Windows privileges. Here’s how to defend against both.

Millions of UK households vulnerable to hacking through older broadband routers (Computing) Without firmware and security updates, there’s no guarantee that security issues will be fixed, says consumer group Which?

U.S. Agency for Global Media data breach caused by a phishing attack (BleepingComputer) The U.S. Agency for Global Media (USAGM) has disclosed a data breach that exposed the personal information of current and former employees and their beneficiaries.

Peloton’s Leaky API Spilled Riders’ Private Data (Threatpost) On top of the privacy spill, Peloton is also recalling all treadmills after the equipment was linked to 70 injuries and the death of one child.

Peloton’s leaky API let anyone grab riders’ private account data (TechCrunch) But the company won’t say if it has evidence of malicious exploitation.

Tour de Peloton: Exposed user data (Pen Test Partners) An unauthenticated user could view sensitive information for all users, and snoop on live class statistics and its attendees, despite having a private mode. TL;DR Information disclosed included: – User […]

In Peloton’s wild ride, a treadmill recall is one more obstacle (Quartz) Peloton’s image has taken another blow after a recall of the Tread+ treadmill following injuries to children.

Some cheeses have holes, your cyber security strategy should not. (Armis) As connected technology and automation has transformed the full logistics chain, there’s no way to process orders and hand-pick goods once the system goes down.

Apple’s AirTag trackers made it frighteningly easy to ‘stalk’ me in a test (Washington Post) Apple knows its tiny new lost-item gadgets could empower domestic abuse but doesn’t do enough to stop it

Notification of Data Security Incident (St. John’s Well Child and Family Center) St. John’s Well Child and Family Center (“St. John’s”) has learned of a data security incident that involved personal or health information belonging to certain current and former patients. On April 29, 2021, St. John’s notified potentially-affected patients of the incident.

Amazon Fake Reviews Scam Exposed in Data Breach (SafetyDetectives) The SafetyDetectives cybersecurity team uncovered an open ElasticSearch database exposing an organized fake reviews scam affecting Amazon.
The server contained

Spanish delivery startup Glovo hit by cyber attack (Reuters) A hacker broke into the systems of Spanish rapid-delivery startup Glovo last week, it said on Tuesday, without specifying what information might have been accessed.

Recent Phishing Attempt Targeted Campus (University of Arkansas News) A phishing attempt Tuesday morning targeted hundreds of university users early and asked for verification of an email address. IT Services will never ask users to verify information through email.

Security Patches, Mitigations, and Software Updates

Chrome for Windows Gets Hardware-enforced Exploitation Protection (SecurityWeek) The browser adopts Hardware-enforced Stack Protection to make exploitation more difficult and expensive for attackers.

Google Chrome adopts Windows 10 exploit protection feature (BleepingComputer) Google Chrome now hinders attackers’ efforts to exploit security bugs on systems with Intel 11th Gen or AMD Zen 3 CPUs, running Windows 10 2004 or later.

Dell fixes exploitable holes in its own firmware update driver – patch now! (Naked Security) These bugs date back to 2009, and they could give crooks who are already in your network access to sysadmin superpowers.

After more than a decade, SentinelOne researchers weed out Dell vulnerabilities (CyberScoop) Since 2009, vulnerabilities have lurked in Dell drivers that potentially affect hundreds of millions of machines, SentinelOne researchers said on Tuesday. Hackers could use the vulnerabilities to instigate a range of attacks, from ransomware to wipers that can erase hard drives, said J.A. Guerrero-Saade, principle threat researcher at the security firm. “They can basically do whatever they want,” Guerrero-Saade told CyberScoop.

Vulnerable Dell driver puts hundreds of millions of systems at risk (BleepingComputer) A driver that’s been pushed for the past 12 years to Dell computer devices for consumers and enterprises contains multiple vulnerabilities that could lead to increased privileges on the system.

Intel Says New Spectre Chip Flaw Is Already Fixed But Security Researchers Say Not So Fast (HotHardware) If this is truly the case, then only a fraction of code that’s out in the wild is actually written to the standard Intel is referencing.

Microsoft will soon remove Flash Player from Windows 10 devices (WeLiveSecurity) Microsoft has announced that Adobe Flash Player will be eliminated from Windows 10 devices come the Patch Tuesday security update in July.

SecureLink: 51% of organizations experienced a third-party data breach (VentureBeat) Organizations need to assess the security of third-party providers to minimize the risks of third-party remote access to their own networks.

States Most Affected by Internet Scams (Comparitech) Using data from the FBI’s Internet Crime Complaint Center, we analyzed the most common scams and which states are losing money to internet crimes.

Enterprises Misplace Trust in Partners, Suppliers (Security Boulevard) In an era when many organizations are focused on building zero-trust access control architectures, many are paradoxically extending considerable trust to the third parties they enable to access their systems remotely. And that trust is placing them at significantly increased risk of successful attacks against their business technology systems.

Consumers Would Rather Get a Root Canal or Watch Paint Dry Than Create Unique Passwords, Onfido Survey Finds (Onfido) 17% of consumers would rather watch paint dry than create a unique password for every online account

Datadobi Points to Research Highlighting the Impact of Data Growth on Storage Management (BusinessWire) Datadobi today released a new report by 451 Research which reveals the major impact that data growth is having on storage management.

Marketplace

Cymulate Raises $45 Million to Grow Its Attack Simulation Platform (SecurityWeek) Israeli cybersecurity testing firm Cymulate announced has raised $45 million through a Series C funding round, which brings the total amount raised by the company to $71 million

Forcepoint Acquires Remote Browser Isolation Innovator Cyberinc (PR Newswire) Forcepoint, a global leader in data-first cybersecurity solutions that protect critical information and networks for thousands of customers…

Huntress Raises $40M to Become the Go-To Cybersecurity Platform for SMBs, Arm Reseller Partners with New Services (GlobeNewswire) Led by JMI Equity, this latest fundraising enables Huntress to further its commitment to delivering cybersecurity to the 99% via local and national resellers.

Prevailion, Inc. Completes Strategic Round to Further Revolutionize Breach Prevention Through Adversary Counterintelligence (BusinessWire) This strategic round will accelerate Prevailion’s disruption of the threat detection and threat intelligence markets with a game-changing solution.

Imperva acquires CloudVector to provide visibility and security for API traffic (Help Net Security) Imperva has entered into an agreement to acquire CloudVector providing visibility and security for traditional public-facing APIs.

McAfee Eyes More M&A Following Sale Of Enterprise Business (CRN) McAfee will continue to examine acquisition opportunities that provide greater breadth or competitive differentiation as the company transitions into being a pure-play consumer cybersecurity vendor.

Digital Identity Startup ForgeRock Taps Banks for IPO (Bloomberg) ForgeRock Inc., a maker of identity-verification software, is working with banks on an initial public offering this year, according to people familiar with the matter.

Okta completes $6.5 billion acquisition of Auth0 (Information Age) Okta has announced the acquisition of Auth0, valued at approximately $6.5 billion, to accelerate growth in the $80 billion identity market

Britain’s IPO pipeline packed despite Deliveroo flop, minister says (Reuters) Deliveroo’s poor public debut in March has not put off other companies from listing in London, Britain’s financial services minister said on Tuesday.

DARPA releases IP2 AIE (Intelligence Community News) The Defense Advanced Research Projects Agency (DARPA) issued an Artificial Intelligence Exploration (AIE) opportunity for In-Pixel Intelligent Processing (IP2).

Inside the Mind of a  Cybersecurity Professional: Part 2 (IGI) Cybersecurity professionals understand that cybersecurity is a strategic company imperative that crosses all aspects of a business. 

SCADAfence Named “Best SCADA Security Solution” by SC Media (PR Newswire) SCADAfence, the global leader in cybersecurity for Operational Technology (OT) & Internet of Things (IoT) environments, today announced that…

Carson Block Calls for Delisting of Many Chinese Firms in U.S. (Wall Street Journal) ‘We have…roughly 400 companies from China listed in the U.S. that are literally beyond the reach of investigation and enforcement,’ the Muddy Waters founder said.

Relay Welcomes Global Cybersecurity Thought Leader, Expert, and Influencer Chuck Brooks to Cybeats Advisory Board (Street Insider) Relay Medical Corp. (“Relay” or the “Company”) (CSE: RELA, OTC: RYMDF, Frankfurt: EIY2) – welcomes global cybersecurity expert, thought leader, and influencer Chuck Brooks1 to the Advisory Board. The Cybeats platform (“Cybeats”) addresses the global US $73 Billion Internet of Things security market2 (IoT) and provides unique protection for sectors that handle critical infrastructure.

SolarWinds Accelerates its Plan for a Safer SolarWinds and Customer Community With the Appointment of Three New Executives (BusinessWire) SolarWinds (NYSE:SWI), a leading provider of powerful and affordable IT management software, today announced it has extended its executive team with t

MITRE Names Wen Masters as Vice President for Cyber Technologies (BusinessWire) MITRE has named Wen Masters as vice president for cyber technologies, where she will lead corporate cybersecurity strategy.

Former Cisco ANZ CTO Kevin Bloch joins vArmour as advisor (CRN Australia) In advisory role for the data centre and cloud security vendor.

Products, Services, and Solutions

Accurics Redefines Secure GitOps with Argo Integration for Open Source Terrascan (BusinessWire) Accurics open source project Terrascan integrates with the Argo Project to significantly enhance cloud security as developers adopt a GitOps approach.

Fast Company’s 2021 World Changing Ideas Awards Distinguishes IDX Privacy with Honorable Mention in Apps Category (PR Newswire) IDX, the leading consumer privacy platform and data breach services provider, announced the mobile app of its flagship product, IDX Privacy,…

Red Hat Open-Sourcing StackRox Security Technology (SecurityWeek) The StackRox community upstream project will open source and manage Red Hat Advanced Cluster Security for Kubernetes code.

Incident Management Platform |SecurityHQ Update (SecurityHQ) SecurityHQ are delighted to release our new and improved version of our leading Incident Management and Analytics Platform.

Veriff Unveils Verification Tooling Software, Enables In-House Integration Capabilities (News Powered by Cision) New offering enables external use of AI-powered identity verification technology for developers and

Veridium Partners with Jumio to Deliver Groundbreaking Biometric Identity Verification to Fight Fraud and Streamline Electronic Know Your Customer (eKYC) Initiatives (BusinessWire) Veridium Partners with Jumio on Biometric Identity Verification to Fight Fraud and Streamline Electronic Know Your Customer (eKYC) Initiatives

Infosec Announces New Cyber Training Program for Federal Agencies and Contractors (Infosec) Infosec, the leading cybersecurity education provider, today announced Infosec Skills Unlimited, a new program to equip federal agencies and contractors with cyber certification and training resources to meet Department of Defense 8570.01-M and Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) compliance requirements.

Tanium Rolls Out Certifications To Drive Partner Profitability (CRN) Tanium has introduced its first-ever certifications to make it easier for partners and customers to operate and administer the company’s endpoint visibility and control technology.

Feitian Technologies and Secret Double Octopus Partner to Extend the Reach of the Passwordless Workforce (Yahoo) Secret Double Octopus, the leader in enterprise passwordless authentication, today announced that it has partnered with Feitian Technologies, the acclaimed manufacturer of hardware authentication tokens and security keys.

Ping Identity Helps With DB Schenker’s Digital Transformation (Mobile ID World) DB Schenker has partnered with Ping Identity in an effort to streamline its identity and access management (IAM) procedures

Coalfire Achieves ISO 20000-1 And ISO 22301 Accreditation (Grand Junction Daily Sentinel) Coalfire ISO, the conformity assessment body arm of Coalfire, has received ISO/IEC 20000-1:2018 (“ISO 20000-1”) and ISO 22301:2019 (“ISO 22301”) accreditation through the

KnowBe4 Launches Artificial Intelligence-Driven Phishing Feature (PR Newswire) KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced a new feature –…

SecureAuth expands identity-as-a-service options (iTWire) Authentication and identity specialist SecureAuth has unveiled the latest release of its SecureAuth identity as a service product, which delivers several new features including the SecureAuth Identity Store. Large enterprises face a number of identity issues, SecureAuth chief marketing officer Brian…

Microsoft open-sources Counterfit, an AI security risk assessment tool (VentureBeat) Microsoft’s Counterfit toolkit aims to enable security teams to more easily test the robustness of AI systems both in and prior to production.

Technologies, Techniques, and Standards

DOD expands vulnerability disclosure program, giving hackers more approved targets (CyberScoop) The Pentagon is letting outside hackers go after more Department of Defense targets than ever before, the DOD announced Wednesday.

Air Force cyber school will add online training tool (C4ISRNET) U.S. Cyber Command has mandated that all the services must adopt the Persistent Cyber Training Environment at schoolhouses.

Insight into everything: Exploring use cases for Digital Space Orchestration (Verizon) Verizon’s on a mission to help humans, machines and enterprises better understand and engage with the world around them by breaking down information silos

Military cyber security decision-support Project Ike moves from lab, readies for Cyber Command deployment (Military & Aerospace Electronics) Project Ike will be used to map networks, assess the readiness of cyber teams, and command military cyber security forces.

Minimizing the Impacts of Shadow IT (SDxCentral) Shadow IT refers to employee use of applications not approved by an IT team. It may also refer to the improper use of applications.

If you build it, they will come: Four steps to building a security operations centre that top talent wants to be a part of (IDG Connect) In an age where junior analysts only stay at a job an average of 12 to 18 months, building an effective SOC means creating an environment that skilled workers are drawn to and has career staying power. Allistair Scott, Senior Security Engineer EMEA at Exabeam argues that CISOs, HR executives and C-suite leadership all share the responsibility of building a SOC people want to join and finding the right team to staff it.

DOD expands bug disclosure program to all publicly accessible systems (BleepingComputer) US Department of Defense (DOD) officials today announced that the department’s Vulnerability Disclosure Program (VDP) has been expanded to include all publicly accessible DOD websites and applications.

Information From Thin Air: Using SDR to Extract DTMF from Radio Waves (Black Hills Information Security) Ray Felch // Disclaimer  When using an FM transmitter, do not modify the intended operation of the module by amplifying the transmitted signal. Also, be sure that attaching an FM high gain antenna will NOT be transmitting outside the legal range for RF emissions. When transmitting any data, be sure you do not accidentally break any laws by illegally […]

Design and Innovation

This ambitious Microsoft project aims to fix cloud computing security (TechRepublic) Microsoft Research’s Project Freta aims to find invisible malware running on the cloud.

How to stop AI from recognizing your face in selfies (MIT Technology Review) A growing number of tools now let you stop facial recognition systems from training on your personal photos

Academia

Alberta vows to curb university’s research ties to China (The Globe and Mail) Advanced Education Minister Demetrios Nicolaides said he intends to speak to the University of Alberta’s administration about the need to curb scientific research that could undermine Canada’s national interest

Legislation, Policy, and Regulation

India excludes Huawei and ZTE from participating in 5G trials (Nikkei Asia) Jio Infocomm, Bharti Airtel, Vodafone Idea and state-run MTNL to conduct tests

A New Sanctions Strategy to Contain Putin’s Russia (Foreign Policy) It’s time for America and Europe to start putting serious economic pressure on Putin’s regime.

(Key)Notes from Hack the Capitol 2021: cybersecurity and critical infrastructure security. (The CyberWire) 2021 Hack the Capitol presenters discussed deterrence, partnership, leadership, ICS security, regulation, critical infrastructure security, hygiene, education, and the future of national cybersecurity strategy.

Analysis | The Cybersecurity 202: Lawmakers scramble for legislative solutions to a growing ransomware crisis (Washington Post) ‘These attacks are more than a mere inconvenience,’ said House Homeland cyber subcommittee chair Rep. Yvette D. Clarke (D-N.Y.). ‘They are a national security threat.’

The Cybersecurity 202: Lawmakers want greater resources, authorities for CISA to protect critical infrastructure (Washington Post) Leading voices in Congress say the nation’s top cybersecurity agency needs better resources to handle growing threats to critical services like water and power.

Cyberspace Solarium Commissioners Concerned Over Security of Nation’s Water Supply (Nextgov) Having succeeded in passing a number of their recommendations through the last National Defense Authorization Act, the commissioners plan to embrace an oversight role as they push for more new laws.

GOP Rep Urges Biden To Bolster Controls On Emerging Tech (Law360) The leading Republican on the House Foreign Affairs Committee called on the Biden administration to shore up restrictions on emerging technology by nominating someone with “real national security experience” to oversee export curbs, particularly when it comes to trade with China. 

Using the momentum of the pandemic to advance zero trust security (FedScoop) The loss of the physical perimeter and increased cyber risks opens opportunities to modernize authentication and digital identity controls.

India, UK agreed to strengthen defence ties including in maritime, counter-terror and cyberspace: MEA (The Economic Times) Prime Minister Narendra Modi held a virtual summit with his UK counterpart Boris Johnson on May 04. Speaking on the talks between the two leaders, MEA Joint Secretary (Europe West), Sandeep Chakraborty today said, “India and UK agreed to substantially strengthen defence and security engagement, including in the maritime domain, counter-terrorism and cyberspace. UK has also recently come up with integrated review on security, defence and foreign policy which identifies India as a key partner.”

Foreign Minister Calls for United European Response to Threats in Cyberspace (Hungary Today) Foreign Minister Péter Szijjártó on Monday in Tallinn called for a unified, “definitive” European answer to new types of threats emerging in the digital world, methods that will protect citizens against cybercrime and extremist ideologies. Szijjártó said that with the increased role of the digital world during the coronavirus pandemic, people are increasingly vulnerable to […]

New Hampshire Pushes Pause on Creating Supply Chain Authority (GovTech) New Hampshire lawmakers are waiting to see how the federal government navigates recent hacks before moving ahead with a piece of legislation aimed at tightening security around vendors and the supply chain.

Litigation, Investigation, and Law Enforcement

French journalist kidnapped by radical Islamists in Mali appears in video pleading for his life (Washington Post) Dubois was kidnapped in early April, but the French government held off announcing it in hopes of securing his release.

Data Scraping in EU Regulators’ Sights As Spain Orders Equifax to Delete Information (Wall Street Journal) European privacy regulators are looking into how companies scrape data from public sources

Privacy Chiefs Say Patchwork Data Laws Mean Lawyers Must Work Alongside Engineers (Wall Street Journal) Ensuring compliance with data protection laws has become so complicated that companies must make room for regulatory and ethics experts in product engineering processes.

Ransomware Scourge May Be Nearing Its Breaking Point (Law360) New task forces convened by the U.S. Department of Justice and a cybersecurity-focused nonprofit are confronting the sobering reality of ransomware, which has become a constant menace to institutions of all types and one of the nation’s top security threats.

Ransomware Pushes Up Cost Of Cyber Insurance, Marsh Says (Law360) The cost of cyber insurance increased by a third in the past year due to a rise in costly ransomware attacks on businesses, according to figures from Marsh.

Scammer Used Fake Court Order to Take Over Dark Web Drug Market Directory (Vice) Dark.fail includes links to dark web markets. A scammer tricked a domain registrar into transferring ownership of the domain with a fake document.

Excess Insurer Defeats Vizio’s Suit Over $17M Privacy Deal (Law360) A California federal judge has freed Arch Insurance Co. from having to cover Vizio Inc.’s $17 million settlement in multidistrict litigation accusing the TV maker of selling data without consumers’ consent, finding the excess insurer has no duty to provide a defense.

US Prosecutors Confirm Request for Special Master Amid Attorney-Client Privilege Fight Triggered by Giuliani Raid (New York Law Journal) The move, which would allow a neutral referee to make determinations about what potential evidence can be reviewed by investigators, comes amid what observers expected to be a sticky legal battle over what attorney-client privileges may attach to Giuliani.

FBI raid exposes Giuliani and signals widening criminal search, experts say (the Guardian) High-profile nature of search highlights inquiry’s seriousness and suggests officials may have new Ukraine-related leads to follow

Spotify Urged To Abandon Speech Patent Over Privacy Issues (Law360) More than 180 musicians and human rights organizations are pressing Spotify to publicly disavow a speech recognition patent, saying it raises many privacy and inequality concerns and that the music streaming provider’s assertion that it has “no plans” to implement this technology isn’t enough.

Snowden slams Harris, Blinken for celebrating World Press Freedom Day (New York Post) Edward Snowden slammed Vice President Harris and Secretary of State Tony Blinken for celebrating World Press Freedom Day as the United States continues its prosecution of Julian Assange.