In short Google’s legally difficult journey to buy cybersecurity firm Mandiant is in its final stretch, with the US Department of Justice closing its investigation and giving the green light for the sale.
In a regulatory filing submitted to the Security and Exchange Commission by Mandiant, the company said the DoJ also waived the mandatory waiting period for the merger, which was apparently a condition of the sale. The ball is now in Google and Mandiant’s court to decide on the merger’s conclusion.
The deal, announced in March, would bring the security provider under the Google Cloud umbrella. At $5.4 billion, it was Google’s second-biggest purchase ever, surpassed only by its 2011 purchase of Motorola Mobility for $12.5 billion.
The Google/Mandiant saga was further complicated in early April, when a Mandiant shareholder filed a lawsuit to block the sale, citing misleading statements by the security industry to its investors. The shareholder accused Mandiant and its financial advisers of preparing a set of non-public financial forecasts that were not included in proxy filings related to the Google purchase.
Although the DoJ has given its approval for the sale, the lawsuit continues, at least according to the most recent publicly available documents, from late May, when a representative for Mandiant appeared in court.
Mandiant’s filing this week indicates the companies still expect to close the merger by the end of 2022.
T-Mobile United States said it will have it spend $500 million — $350 million on its customers, an additional $150 million on improving its systems — to settle class action lawsuits over last year’s disclosure that millions of information about people had been stolen and leaked.
Uber settles data breach case
In a last-minute deal on Friday, Uber settled its case with the US government to cover up a massive data breach and pay for the crims who did it.
In a statement, the US Department of Justice said: “Uber has admitted and accepted responsibility for the actions of its officers, directors, employees and agents in concealing its 2016 data breach from the Federal Trade Commission (“FTC”), which, at the time of the 2016 breach, had an ongoing investigation into the company’s data security practices. »
Uber admitted that 57 million user records as well as 600,000 driver’s license numbers had been tampered with and, rather than working with law enforcement, the incident went unreported until that a new CEO is coming on board. Joe Sullivan, CSO at the time, is facing wire fraud charges after allegations he tried to bribe the data thieves in exchange for a six-figure payment and a non-disclosure agreement. disclosure.
Sullivan has now left Uber.
Uber has already agreed to a 20-year watch period over the incident and paid US states $148 million to settle the matter.
Stupid macOS malware works from the cloud
ESET researchers have discovered a new sample of macOS malware that uses public cloud services to store payloads, exfiltrate data and perform command and control of infected machines.
Dubbed CloudMensis, the ESET research team says the malware has a variety of capabilities, including listing running processes; take screenshots; list emails, attachments and files on removable media; execute shell commands and pipe output to cloud storage; and downloading/executing arbitrary files.
ESET found support for pCloud, Yandex Disk and Dropbox in the CloudMensis code. In the ESET example described, multiple cloud providers were used to store different C2 components and services.
The researchers said they still don’t know how CloudMensis initially infects the machines, but they found no new zero-day vulnerabilities in the malware sample they obtained. As it does not use any new macOS weaknesses to infect machines, ESET advises all Mac users to keep their systems up to date.
Marc-Etienne Léveillé, an ESET researcher who analyzed CloudMensis, said the quality of the code and the lack of obfuscation suggests that its developers were either unfamiliar with macOS development or generally “not so advanced”. “.
“Nevertheless, a lot of resources have gone into making CloudMensis a powerful spy tool and a threat to potential targets,” Léveillé said. said.
Compromised Ukrainian radio stations spread fake news
TAVR Media, a broadcasting network that operates nine major radio stations in Ukraine, was compromised by attackers last week and used to spread false reports that Ukrainian President Volodymyr Zelensky was in critical condition.
According to The Special State Communications Service of Ukraine (SSCIP) attackers alleged that Zelensky had been hospitalized in poor enough health to hand over control of the country to Ukrainian parliament speaker Ruslan Stefanchuk, which is untrue.
“TAVR MEDIA GROUP Reports that the information given on their radio stations is not true. The matter is now being addressed by the relevant agencies,” the SSCIP said in a tweet.
Zelensky also posted a video to Instagram later that day, saying he was in his office and “never felt as healthy as I do now,” according to a translation in Infosecurity Magazine. Zelensky also blamed Russia for the attack, although no concrete link to an attacker was reported.
Russia has been waging disinformation campaigns inside Ukraine since its invasion of the country in late February. Google’s Threat Analysis Group recently said that “many Russian government cyber assets have remained focused on Ukraine and related issues since the start of the invasion.”
In addition to aggressive online attack campaigns, Russian cyberspyers also took to social media to influence the conflict, with Meta saying it had disrupted attacks, deleted posts and suspended accounts directly linked to the Belarusian KGB.
FCC launches investigation into 15 US wireless carriers
The US Federal Communications Commission wants to know all the ins and outs of how big US telecommunications companies store and share customer data, so it’s asking 15 of the biggest to take a look behind their data retention curtains.
Letters from College President Jessica Rosenworcel were sent to AT&T, Best Buy Health (operators of Lively), Charter Communications, Comcast, Consumer Cellular, C-Spire, DISH Network, Google, H2O Wireless, Lycamobile, Mint Mobile, Red Pocket, T-Mobile, US Cellular and Verizon.
All the letters are identical except for the brand names, and ask a lot of questions about data retention and sharing, including where the data is stored and for how long, data deletion policies, opt-out capabilities, agreements with third parties to share geolocation data, customer notification and more.
“Given the highly sensitive nature of this data…the ways in which [it] is stored and shared with third parties is of the utmost importance to consumer security and privacy,” Rosenworcel said in the letters.
The letters were written two days before the announcement that the American Data Privacy and Protection Act had passed committee and was heading to the House. If passed, the ADPPA would limit how companies could collect and use customer data and would be the first federal data privacy law in the United States.
While this may not be directly related to ADPPA’s advance, Rosenworcel said an FTC report from last year found that 98% of mobile internet service providers “collect more than data than necessary to provide services and more data than consumers expect”.
With lawmakers scrutinizing them for exactly that, the information uncovered by the FCC could serve as vindication to sway skeptics as the ADPPA continues to make progress. Rosenworcel wants answers by August 3; With the Congressional August recess beginning next week, that data will likely be available long before a vote on ADPPA takes place.
Common Google searches are lousy with malvertising
The next time you do a Google search for YouTube, Facebook, Amazon, or Walmart, pay close attention to the link you click: the top result could very well be an undetectable malvertising link.
The Malwarebytes Threat Intelligence team reports a Google Ads malvertising campaign that, at first, appears legitimate: it uses fake ads to trick people into clicking on malicious sites that trick them into calling tech support scams.
This campaign stands out, Malwarebytes said, because it exploits the common search behavior of “searching for a website by name instead of entering its full URL in the address bar.” That, and it targets incredibly common search terms.
Bad actors, which Malwarebytes has not identified, operate by buying Google Ad space for common and closely related search terms called typos. To make advertisements harder to spot, cybercriminals use a technique known as ‘cloaking’, which is against Google’s Webmaster Guidelines.
Cloaking uses a series of redirects based on the user who clicked the link: malicious pages for people and legitimate sites for crawlers.
The redirect mechanism in this campaign is doubly tricky: it opens the actual page so the URL looks correct, but at the same time loads a full-window iFrame that overlays the malicious content directly onto the actual site, giving a air of legitimacy.
Malwarebytes said it believes the campaign has been going on for at least several weeks. The researchers believe that the number of victims can be high for two reasons: the popularity of the keywords and the “replayability” of the malvertising campaign.
Researchers say replaying malvertising attack strings on high-profile websites like YouTube and Amazon is usually difficult, but was easy in this case. In other words, this is a sophisticated attack, so be sure to take note of these indicators of compromise. ®