CyberWire Daily - Berserk Bear is back, and still loves that critical infrastructure honey. COVID-19 apps: good, bad, and bogus. Android issues discovered. A FIN7 arrest. Mr. Faraday’s underwear.
Episode Date: May 27, 2020Berserk Bear is back, and snuffling around Germany’s infrastructure. Two new Android issues surface. India opens up the source code for its COVID-19 contact-tracing app as such technological adjunct...s to public health continue to arouse privacy concerns. [F]Unicorn poses as Italy’s Immuni app. An alleged FIN7 gangster is arrested. Australia’s Data61 urges companies not to scrimp on R&D. Joe Carrigan on Android mobile malware getting new features. Our guest is Frederick “Flee” Lee from Gusto on CCPA. And does your underwear come with a Faraday cage? We thought it might. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/102 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Berserk Bear is back and snuffling around Germany's infrastructure.
Two new Android issues surface.
India opens up the source code
for its COVID-19 contact tracing app
as such technological adjuncts to public health
continue to arouse privacy concerns.
F-Unicorn poses as Italy's ImmuniApp.
An alleged Fin7 gangster is arrested.
Australia's Data61 urges companies
not to scrimp on R&D.
Joe Kerrigan on Android mobile malware getting new features.
Our guest is Frederick Flea-Lee from Gusto on CCPA.
And does your underwear come with a Faraday cage?
And we thought it might.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWware summary for Wednesday, May 27, 2020.
CyberScoop reports that German intelligence services have circulated an advisory warning
that the Russian government threat group Berserk Bear is actively working against German industrial
operations in the energy and water sectors. Berserk Bear was last mentioned in dispatches during 2018 when the U.S. government
warned that Russian actors had been engaged in some preliminary reconnaissance of U.S.
infrastructure. Tagashow identifies the German intelligence services as the Federal Intelligence
Service, BND, the Federal Office for the Protection of the Constitution, BFV, and the Federal Office
for Information Security, BSI.
The warning doesn't directly name the Russian government,
but it prominently links, as evidence, to U.S. documents that do just that.
So the intended attribution isn't seriously in question.
Two Android issues have surfaced.
F-Secure warns that default configurations specific to regions
also create region-specific security problems for flagship Android devices.
It's easy to assume that handsets with the same branding
will be roughly interchangeable with respect to security,
but that assumption, F-Secure says, is unwarranted.
Quote, customization done by third-party vendors such as Samsung, Huawei, and Xiaomi can leave
these devices with significantly poor security dependent on what region a device is set up
in or the SIM card inside of it.
End quote.
The other Android issue is a vulnerability called Strandhog 2.0 by researchers at ProMon
who described it. TechCrunch reports
that Strandhog 2.0 could be exploited by password harvesting malware masquerading as legitimate apps.
It doesn't appear to be exploited in the wild, at least for now, but the researchers warn that
exploitation might be unusually difficult to detect. India's government has announced that it's making the source code
of its Arogya Setu contact tracing app available for inspection and testing,
a decision that Reuters says is generally being well-received
by digital rights activists as likely to increase the system's security.
Privacy concerns continue to surround the contact tracing technology being trialed by Britain's NHSX.
Fear that the app will outlive the pandemic and become a permanent part of a national surveillance system are now familiar,
and the war rhetoric that C4ISRNet sees surrounding national responses to the pandemic have probably helped provoke that sort of backlash in public opinion.
to the pandemic have probably helped provoke that sort of backlash in public opinion.
Computer Weekly reports that centralized data collection has also aroused worry that contact tracing databases will themselves prove to be insecure, and that if breached, they would
provide cybercriminals with resources for identity theft and other capers.
According to Bleeping Computer, an archly named ransomware strain, F-Unicorn,
is being distributed by social engineering come-ons that inveigle users in Italy to download
the malware in the belief that it's a contact tracing app developed by the Italian Pharmacist
Federation. Trend Micro says the ransomware poses as a beta release of the Italian government's ImmuniCovid-19 app.
One might ask, given the difficulty that legitimate contact tracing apps have in finding enough willing users to make them effective,
why criminals would think this particular social engineering approach likely to succeed.
The answer, of course, is that public health organizations need at least half the population to sign up for contact tracing but the criminals only need a few marks to make it worth their while
as is so often the case the secret to the criminal's success is volume score one for the feds
u.s authorities according to court documents unsealed late last week have taken a leading
member of the finn seven gang an a leading member of the Fin7 gang,
an alleged leading member of the gang, we must note.
Dennis Yarmouk was extradited from Thailand and is now in U.S. custody.
Fin7 is regarded as an unusually sophisticated and effective gang, Vice reports,
and is thought to have taken in at least a billion dollars from its victims,
which include businesses in the retail and hospitality sectors.
Frederick Lee is chief security officer at Gusto, a financial services and payroll company.
His friends call him Flea, which I assume came about from an abbreviation of his name in an email address. At any rate, Flea is nothing if not outspoken, and he joins us with opinions on CCPA, the California Consumer Privacy Act.
So, you know, for those that aren't aware, CCPA is the California Consumer Privacy Act that went into effect earlier this year, here in 2020,
with the idea being to help reestablish privacy and data ownership controls for consumers,
privacy and data ownership controls for consumers to help give businesses some better guidelines,
but ultimately also some regulations and some enforcements to go along with that to set the stage for proper behavior when it comes to dealing with civilians' data.
At a high level, you know, that is a great idea. Part of my concern, though, is how that has
actually been implemented and if it's actually going far enough.
So, you know, one of the great things about CCPA is, yes, it truly is giving some real enforcement mechanisms and some real incentives for companies to actually start doing better when it comes to data, you know, and data mining, et cetera, selling of data for consumer data. So, for example, a company that you might have signed up with to either maybe do some online shopping
or maybe even just a newsletter from, they now have stronger guidelines about what they can actually do with that data.
In the past, some companies have used that data to just sell it, and you didn't know anything about it.
But now you, as a consumer, have a right to know how your data is being used, if it is being sold.
And you also now have a right here in California to ask for that data to be destroyed. So you have
a lot more control over your own data. And that's ultimately a good thing. We want more and more
companies to really be proactive and really aware that there's a human behind that data and that it's not just,
you know, not just bits, but there's a physical person there. And that physical person has
desires and rights and about how they actually want their data to be treated.
And that's actually one of the things I think is good about CCPA. One of the things that I
am somewhat cautious of when it comes to CCPA is obviously, does it go far enough? And even more so,
does it kind of, in a backwards way, give companies an out? With regards to actually,
does CCPA go far enough? Right now, it's hyper-focused on really this idea of actually
selling data and your right to know and what companies can and can't do. And there are actual
teeth behind it. So there are fines associated with companies that can can't do. And there are actual teeth behind it.
So, you know, there are fines associated with companies that can violate CCPA.
But we also know that there are companies that, you know, for better or worse, are actually
big enough that they can actually weather those fines.
And that's, I think, one of the shortcomings.
Are there enough teeth behind CCPA?
And I think it's actually part of the thing that we need to really push on for when we
actually see legislation such as CCPA.
We have to make sure that we, as an an industry not just adhere to that, but actually go way, way,
way, way beyond it. Like CCPA should kind of be almost like the bare minimum that a company should
do. And unfortunately, some companies do view it that way. It's like, hey, this is the bare minimum.
And as long as we actually do that, we're fine. But I want to see us as an industry push even further, start implementing, you know, these ideals of what it means to be a
good data custodian. Like we have people inside of a company that advocate on behalf of consumers
and their privacy, having things like a privacy council inside of your company that can actually
kind of really sit down and think about what are the implications of us rolling out this feature?
How does it impact a in-consumer's privacy?
That's Frederick Lee, Flea, from Gusto.
The Commonwealth Scientific and Industrial Research Organization's Data61 unit,
Australia's data science research institution,
advises companies not to squeeze R&D budgets
in the course of COVID-19 belt tightening,
the Financial Review reports.
John Whittle, currently dean of the Faculty
of Information Technology at Monash University,
will assume the directorship of Data61 in July.
He urges companies to maintain their commitment to research
that innovation would pay off once the pandemic passes. And finally, have you been able to swaddle yourself in a Faraday cage yet?
All the right people are doing it. No, seriously, now available on Amazon, if you're interested,
are products that claim to protect the user from the malign effects of 5G signals.
The Telegraph reports that the offerings include underwear, stickers, blankets, pills, and so on.
Not only do none of these things offer protection,
but the protection itself would be protection against a perceived threat that's, well, no threat at all.
So why are people all of a sudden so worried about the electromagnetic fields associated with 5G technology?
Well, it's a perennial bit of hyper-suspicious hooey that's achieved new currency with bogus conspiracy theories that link the COVID-19 virus to 5G signals.
We looked at Amazon, and indeed, the stuff is up for sale.
Anti-EMF radiation-reducing underwear, protection from cell phones, wireless,
Bluetooth, and 5G radiation and EMF. EMF shielding black sports bra, which features moisture wicking properties for 5G. EMF protection hat hood with anti-radiation fabric, EMF protection, and RF
shielding. And anti-EMF stickers. These come in 10-packs, and it's not clear whether the stickers themselves afford protection
or simply warn people of the dangers.
EMF, of course, is electromagnetic field.
The U.S. Federal Trade Commission says there's no scientific proof that so-called shields
significantly reduce exposure from these electromagnetic emissions.
This is the tinfoil hat for the 21st century,
and we have to say the garments are a lot more stylish
than the old DIY hats used to be.
You know, the kind you wore back in the day
to keep the government from X-raying you through the ceiling?
Perhaps I've said too much.
Calling all sellers. Salesforce is hiring account executives Thank you. purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Joe, always great to have you back.
Hi, Dave.
Got an interesting story came by.
This is from the Bank Info Security website, and it's their botnet watch.
And they're talking about the Anubis mobile malware getting some new features.
What's going on here, Joe?
Yeah, this is interesting.
So Anubis is a banking trojan that tries to collect your banking credentials.
And it's pretty richly featured, actually.
It's got a very good command and control system.
And, of course, then it has a client that gets installed
on Android devices. And there are lots of ways they try to get you to install this.
Surprisingly, one of the big ways, and this is kind of a thorn in the side of Google,
this article says, that these guys try to embed Anubis, the Trojan part, into what looks like a
legitimate app in the App Store, in the Google Play Store.
And Google has to go through and find these things.
They obfuscate the code so that it's harder for Google to find it.
So there's a chance that it could be in the Google Play Store.
And Google is always, of course, looking for it.
But then they also use third-party app stores and maybe even try to get you to install it
via a phishing campaign.
But there are some interesting features that already are included with this,
and one of them was the trend micro-notice this last year,
that if the Anubis malware sees that there's no data coming from the accelerometer,
the motion sensor, then the device is probably a sandbox device, right?
then the device is probably a sandbox device, right?
You know, like if I build an emulator on my computer that emulates an Android device and this software is running on it, it will check the accelerometer for accelerometer data.
And if there's no data coming from it, it says, I'm not running.
Nope, not going to do it because it knows that it's in a sandbox and being observed.
Now, there's a simple workaround for that.
You can probably generate, record and play back some accelerometer data that will fool the malware,
but you have to take that step or the malware will never run and you can't do what's called dynamic analysis,
which is where you do the analysis on the software as it's running.
And because it's obfuscated, a lot of times static analysis,
which is where you do the analysis on the software just as it's written, is very difficult.
But one of the new features that they're saying in this article, and it's not out yet, but it's probably coming soon, is a feature that lets the malware operator know or the malware know when the user is looking at the device.
Now, this is actually a feature that's included in a lot of phones so that the screen
doesn't go blank, right? So the camera actually watches your face and sees that your eyes are
looking at the phone. And if the camera sees that your eyes are looking at the phone, the phone will
not shut the screen off. And this is a user feature. But here it is being exploited by malicious
actors. So now, if I'm a bad guy and I write some software and I'm going to execute something on that software that I know is going to put something on the user interface that the user might see, I wait for the user to not be looking at the phone before I run it.
Right.
Right.
And then I can do it and I know the user didn't see it because they weren't looking at the phone because the phone tells me when the user is looking at it.
So here's another feature being exploited for a malicious purpose.
Yeah, I'm waiting for the feature when it can, you know, do an electronic equivalent of throwing
your voice, you know, so it gets you to look the other way. Look over here, right? So some sort of,
you know, audio acoustic illusion. So it sounds like it's dropping a fork or something behind you.
So you look the other way,
and then it does whatever it needs to do on the screen
while you're looking away, I suppose.
I don't know.
I can imagine that being a coming feature.
Or the phone sits behind you.
Right, right.
Look out.
Right.
Right.
But how interesting that these features,
I guess, that are available to any developer and a good thing, a valuable feature, but the bad guys can use them as well.
Absolutely. That's correct. 100% correct.
Anything, like I frequently say, I can use a hammer to build a house or I can use a hammer to take a wall out maliciously.
It's a tool.
Do we have any sense for who's behind Anubis?
There is. This article talks about rumors about a developer calling himself Mazain, M-A-Z-A-I-N.
But the code has been released in an unobfuscated form. So there are multiple people probably out
there developing it right now. Once you get the
unobfuscated form, it's very easy to reverse engineer it back to code, and then you can start
just maintaining it on your own. So we don't really know who's behind it. Rumor was that
Mazin was arrested by the Russians, Russian authorities. I don't know if that's true or not.
I have no idea. But the code is still out there and it is being developed and it's probably being developed by multiple parties. Yeah. Yeah. All right. So be aware of that one.
Joe Kerrigan, thanks for joining us. It's my pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your