This article is more than 1 year old

DoJ approves Google's acquisition of Mandiant

Plus: Ukrainian fake news and Uber admits covering up data breach

In Brief Google's legally fraught journey to buy cybersecurity business Mandiant is in its final stretch, with the US Department of Justice closing its investigation and giving the go-ahead for the sale to proceed.

In a regulatory filing submitted to the Security and Exchange Commission by Mandiant, the company said the DoJ also waived the mandatory merger waiting period, which was apparently a condition of the sale. The ball is now in Google and Mandiant's court to decide on the conclusion of the merger. 

The deal, announced in March, would bring the security provider under the Google Cloud umbrella. At $5.4 billion, it's the second-largest purchase ever made by Google, bested only by its its 2011 purchase of Motorola's phone division, Mobility, for $12.5 billion. 

The Google/Mandiant saga was further complicated in early April when a Mandiant shareholder sued to block the sale, citing misleading statements from the security biz to its investors. The shareholder accused Mandiant and its financial advisors of preparing a set of non-public financial forecasts that weren't included in proxy filings related to the Google purchase.

Despite the DoJ giving its approval for the sale, the lawsuit is proceeding, at least according to the most recent publicly available documents, from late May, when a Mandiant representative appeared in court. 

Mandiant's filing this week said the companies are still expecting to close the merger by the end of 2022.

T-Mobile US said it will pay out $500 million – $350 million to its customers, another $150 million on improving its systems – to settle class-action lawsuits over last year's disclosure that millions of people's information had been stolen and leaked.

Uber settles data breach case

In a last-minute Friday deal, Uber settled its case with the US government over covering up a massive data breach and paying off the crims who did it.

In a statement, the US Department of Justice said: "Uber admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the Federal Trade Commission ("FTC"), which at the time of the 2016 breach had a pending investigation into the company's data security practices."

Uber admitted 57 million user records along with 600,000 drivers' license numbers were purloined and, rather than working this out with law enforcement, the incident wasn't reported until a new CEO came on board. Joe Sullivan, CSO at the time, is facing charges of wire fraud after allegations he attempted to buy off the data thieves in return for a six-figure payout and a non-diclosure agreement.

Sullivan has now left Uber.

Uber has already agreed to a 20-year supervision period over the incident and has paid $148 million to US states to settle the matter.

Dumb macOS malware operates from the cloud

ESET researchers have uncovered a fresh sample of macOS malware that uses public cloud services to store payloads, exfiltrate data and execute command and control of infected machines. 

Dubbed CloudMensis, the ESET research team said the malware has a variety of capabilities, including listing running processes; taking screen captures; listing emails, attachments and files on removable media; running shell commands and directing output to cloud storage; and downloading/executing arbitrary files. 

ESET found support for pCloud, Yandex Disk and Dropbox in CloudMensis' code. In the sample ESET described, multiple cloud providers were used to store different components and C2 services. 

The researchers said they still aren't sure how CloudMensis initially infects machines, but said they didn't detect any new zero-day vulnerabilities in the malware sample they obtained. As it isn't using any new macOS weaknesses to infect machines, ESET advises all Mac users to keep their systems up to date. 

Marc-Etienne Léveillé, an ESET researcher who analyzed CloudMensis, said the quality of the code and lack of obfuscation suggests its developers were either unfamiliar with macOS development, or are generally "not so advanced." 

"Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets," Léveillé said. 

Compromised Ukrainian radio stations spread fake news

TAVR Media, a broadcasting network that operates nine major radio stations in Ukraine, was compromised by attackers last week and used to broadcast false information that Ukrainian President Volodymyr Zelensky was in critical condition.

According to the State Special Communications Service of Ukraine (SSCIP), the attackers alleged Zelensky had been hospitalized in poor enough health to cede control of the country to Ukrainian parliamentary chairman Ruslan Stefanchuk, which is untrue.

"TAVR Media Group reports that the information communicated on their radio stations is not true. The issue is now being addressed by competent agencies," the SSCIP said in a tweet.

Zelensky also posted a video to Instagram later in the day, saying he was in his office and "have never felt as healthy as I do now," according to a translation in Infosecurity Magazine. Zelensky also accused Russia of the attack, though no concrete link to an attacker has been reported. 

Russia has operated disinformation campaigns inside Ukraine since its invasion of the country in late February. Google's Threat Analysis Group said recently that "many Russian government cyber assets have remained focused on Ukraine and related issues since the invasion began."

Along with aggressive campaigns of online attacks, Russian cyberspies have also taken to social media to influence the conflict, with Meta saying it had been disrupting attacks, taking down posts and suspending accounts linked directly to the Belarusian KGB. 

FCC initiates probe of 15 US wireless carriers

The US Federal Communications Commission wants to know all the ins and outs of how major US telecom companies store and share customer data, so it's asking 15 of the largest for a look behind their data retention curtains.

Letters from FCC Chairwoman Jessica Rosenworcel were sent to AT&T, Best Buy Health (operators of Lively), Charter Communications, Comcast, Consumer Cellular, C-Spire, DISH Network, Google, H2O Wireless, Lycamobile, Mint Mobile, Red Pocket, T-Mobile, US Cellular and Verizon. 

All the letters are identical aside from brand names, and ask a lot of questions about data retention and sharing, including where data is stored and for how long, data deletion policies, opt-out capabilities, arrangements with third-parties to share geolocation data, customer notification and more. 

"Given the highly sensitive nature of this data … the ways in which [it] is stored and shared with third parties is of utmost importance to consumer safety and privacy," Rosenworcel said in the letters.

The letters were written two days prior to news that the American Data Privacy and Protection Act had passed committee and was on the way to the House floor. If passed, the ADPPA would limit how companies could collect and use customer data and would be the first federal-level data privacy law in the US.

While it may not be directly related to the advance of the ADPPA, Rosenworcel did say that an FTC report from last year found that 98 percent of mobile internet service providers "collect more data than is necessary to provide services and more data than consumers expect."

With lawmakers scrutinizing them for exactly that, the information the FCC uncovers could serve as justification to sway skeptics as the ADPPA continues to advance. Rosenworcel wants responses by August 3rd; with Congress' August recess beginning next week, that data will likely be in well before an ADPPA vote is held. 

Common Google searches are lousy with malvertising

The next time you perform a Google search for YouTube, Facebook, Amazon or Walmart pay close attention to which link you click: The top result could very well be an impossible-to-detect malvertising link.

The Malwarebytes Threat Intelligence Team is reporting a Google Ads malvertising campaign that, at first, appears legit: It uses fake ads to trick people into clicking on malicious sites that trick them into calling tech support scams

This campaign stands out, Malwarebytes said, because it's exploiting common search behavior of "looking up a website by name instead of entering its full URL in the address bar." That, and it is targeting incredibly common search terms.

The bad actors, whom Malwarebytes didn't identify, are operating by buying Google Ad space for common search terms and closely-related typos. To make the ads harder to spot, the cybercriminals are using a technique known as "cloaking," which is against Google's Webmaster Guidelines.

Cloaking uses a series of redirects based on the user that's clicked the link: Malicious pages for people, and legitimate sites for crawlers.

The redirect mechanism in this campaign is doubly tricky: It opens the actual page so the URL looks correct, but at the same time loads a full-window iFrame that overlays the malicious content directly over the real site, lending an air of legitimacy. 

Malwarebytes said it believes the campaign has been going on for at least several weeks. The researchers believe the number of victims may be high for two reasons: The popularity of the keywords, and the "replayability" of the malvertising campaign. 

Researchers say replaying malvertising attack chains on high-profile websites like YouTube and Amazon is usually difficult, but was easy in this case. In other words, this is a sophisticated attack, so be sure to make a note of those indicators of compromise. ®

More about


Send us news

Other stories you might like