CyberWire Daily - Chinese cyber espionage in Malaysia and Japan. Android Bluetooth bug. Google expels suspect apps from the Play store. More Iowa caucus finger-pointing. US preps indictments of Chinese nationals.
Episode Date: February 7, 2020Chinese espionage groups target Malaysian officials, and two more Japanese defense contractors say they were breached, also by China. Google patches Android problems, including an unusual Bluetooth bu...g. Google also expels apps that wanted unreasonable permissions from the Play store. Some in Iowa say the DNC pushed an eleventh-hour security patch to IowaReporterApp. The US may indict more Chinese nationals for hacking. More Senate reporting on 2016 Russian influence. Caleb Barlow from Synergistek with more insights on hospitals and ransomware, this time from the patient’s perspective. Guest is Matt Cauthorn from ExtraHop comparing cloud platforms’ similarities and differences. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Chinese espionage groups target Malaysian officials
and two more Japanese defense contractors say they were breached, also by China. Google patches
Android problems, including an unusual
Bluetooth bug. Google also
expels apps that wanted unreasonable
permissions from the Play Store.
Some in Iowa say the DNC pushed
an 11th hour security patch to
Iowa Reporter app. The U.S.
may indict more Chinese nationals for hacking.
And more Senate reporting
on 2016 Russian influence.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, February 7th, 2020.
More Chinese espionage campaigns are in the news today.
MyCert, that is MalaysiaCert, has issued an advisory warning that a cyber espionage campaign has been conducted against government officials in that country.
They don't specifically call out the parties responsible, but sources listed among their references suggest that it's APT40.
It's APT40.
APT40 is generally believed, as ZDNet notes,
to be a group of contractors working for the Hainan Department of the Chinese Ministry of State Security.
Two more Japanese defense contractors have joined Mitsubishi Electric and NEC in making delayed disclosure that they were breached by Chinese threat actors, bleeping computer reports.
PASCO Corporation was hit in May of 2018.
Kobe Steel was compromised in June of 2015 and again in August 2016.
Data appear to have been exfiltrated during the incidents.
The outfit behind the campaign is thought to be TIC,
also known as Bronze Butler and Red Bald Knight,
a state-backed group with a focus on cyber espionage and
information theft.
These disclosures are said to have been delayed because of the complexity of the investigation.
The Ministry of Defense coordinated the announcements because, as the spokesman put it, the attacks
should be publicly disclosed.
It is necessary to get the world to know and think about defenses.
A Bluetooth flaw that leaves Android devices open to compromise has been discovered. It is necessary to get the world to know and think about defenses.
A Bluetooth flaw that leaves Android devices open to compromise has been discovered.
It's a particularly noteworthy issue because an attacker could exploit the flaw without user interaction.
The problem arises when the device has Bluetooth in discovery mode,
that is when it's looking for another device to pair with.
The register suggests that prudent users will avoid using Bluetooth on Android devices until they fix the problem.
A patch is available in Android's February updates.
VPN Pro, Trend Micro, and Cofence have found malicious Android apps in Google Play.
Those identified by Trend Micro are interesting in that they post their own positive reviews in the Play Store,
the better to attract downloads.
Claiming to boost device performance, the app's sock puppets tell potential users that they work just great.
The effect is amplified by their use of the same text.
Great, works fast and good, accompanied by a standard four-star rating.
Looks legit.
VPN Pro connects the bad apps it found to Shenzhen Hawk Internet Company,
a Chinese firm said to be behind the nominal developer of the five security apps
among the suspicious 24 it found, high security.
High securities apps, VPN Pro said,
request especially dangerous permissions upon installation.
What permissions count as dangerous?
Well, things like access to a user's camera or the phone itself,
and access to the phone would mean the app could place calls.
Most of the apps can access the user's geolocation and read data kept on external storage.
14 of the 24 can collect and report details about the user's device and network.
One of the apps wants to record audio on its own servers,
and another one can access contacts.
It's difficult to come up with legitimate reasons why an app might want to do these things,
but they certainly look like the sorts of things spyware and fleeceware would wish to accomplish.
Perhaps the company behind them can offer some clarification.
Shenzhen Hawk, itself a subsidiary of TCL Corporation, a large and partially state-owned
electronics company, told Forbes through its corporate parent that the whole thing is a
misunderstanding. TCL said it takes its customers' privacy seriously and went on to explain,
we understand the actions Google has taken here in removing our applications from the Play Store,
and we're actively working with them to better understand their concerns.
We are also engaging an outside security partner to assist our teams in auditing each of our
applications and set up ongoing auditing and monitoring to ensure we can offer the peace
of mind and trust our customers expect from us.
sure we can offer the peace of mind and trust our customers expect from us.
Naked Security reports that Google has yanked Shenzhen Hawk's 24 suspect apps from the store,
and good riddance to them.
U.S. Representative Sheila Jackson Lee, Democrat of Texas,
asked FBI Director Wray at oversight hearings Wednesday if he intended to investigate the Iowa caucus.
As it seemed to her, the Russians may have interfered with the process.
The suspicion is probably inevitable, but the representative seems to be an outlier in thinking
the Russians interfered with her party's caucus. So far, there seems nothing to suggest that the
problems of the caucus were rooted in anything other than a poorly designed and deployed app.
There's been a fair amount of intra-party finger-pointing as the week draws to a close.
The caucus tallies were completed yesterday, but amid a general mood of dissatisfaction.
Tom Perez, chair of the Democratic National Committee, tweeted that he'd had enough
and called upon the Iowa Democratic Party to re-canvass because of problems
with the ways in which the results were counted. The Iowa Party pointed out, says the Washington
Post, that it's up to the candidates to request this, not the DNC, and that they'd consider such
requests but from the candidates. The state party has extended the deadline for requesting a
re-canvass until noon Monday. And the Des Moines Register reports
that Iowa party officials now blame
a last-minute security patch the DNC demanded
for the problems the Iowa reporting app experienced this week.
John McCormilly, a former member
of the state party's central committee,
and this year a Polk County precinct chair,
told the Register that,
I know people say this was a conspiracy theory,
that is, the party leaders, were trying to rig results, but I don't think that's it at all. The DNC people are the
people who literally had their emails hacked by WikiLeaks for the world to see. I think they are
overly paranoid about hacking and security. McCormally gave the Register a copy of a
communication he received Saturday evening that directed an 11th-hour security upgrade for the Iowa reporting app.
The state party would neither confirm nor deny that they were patching the app over the weekend,
and the DNC itself said it had made an unnamed security vendor available to test the app
but wouldn't say whether any patching was recommended.
CyberScoop reports that the U.S. Justice Department
is preparing a fresh round of indictments of Chinese nationals
for crimes related to cyber and insider industrial espionage.
Assistant Attorney General for National Security John Demers
wouldn't say when the indictments would be forthcoming,
but he did say to expect them soon.
And the U.S. Senate has released the third volume of its projected
five-volume investigation of Russian attempts to interfere with the 2016 elections. Politico's
account of the report says the investigators found the previous administration generally
unprepared to respond and uncertain of how to do so without appearing to improperly favor one
candidate. This is probably understandable given the unfamiliarity of the specific form the influence
operations took, and the relative novelty of the amplifying effects of social media.
The administration did warn the Russians not to meddle and thought they'd induced Moscow
to climb down, at least a bit, but it now appears the Russians simply nodded and blew
the Americans off.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at Synergistic.
Caleb, great to have you back. I wanted to talk about hospitals and ransomware,
but I wanted to come at it this time from the patient side of things.
What sort of insights do you have there?
Well, this can be really impactful, not just for the health care practice, but for the patients as well.
And, you know, if we go all the way back to the, you know, like 5 B.C., you know, with the Hippocratic Oath, we have to remember that doctors have a obligation to do
no harm. And interestingly enough, part of that Hippocratic oath is maintaining that patient's
privacy. Well, you know, the challenge here when we talk about a ransomware incident is, first of
all, remember, if the data can get ransomed, it can just as easily get stolen or extorted.
And we're starting to see instances where when a hospital doesn't
pay the ransom, the bad guys may try to extort them for the data. So, you know, you have both
the privacy concern as well as the impact of getting locked up. But I want to talk in detail
about the problem when a hospital gets locked up. And remember, you know, let's take a case of
grandma and maybe grandma's getting old. She's at a nursing home.
She's probably got a pretty complex cocktail of pharmaceuticals, right?
Maybe some to manage dementia, maybe some to manage, you know, her health ailments.
Well, the problem is when that electronic healthcare record system is locked up with ransomware, those physicians don't have access to any of that information.
And it could be months before they get access to it again. So the first thing to keep in mind is
anyone with a complex medical history, a lot of that history has to get started all over again
with those nurses and physicians. And unfortunately, a lot of that, especially when we're talking about
elder care, involves some level of experimentation to get that drug cocktail just right.
So it can have an immediate impact
on patients that are inside of an institution,
but it can also have an impact on emergency care.
I mean, we've seen multiple instances over the last year
where patients have to get diverted
when a hospital gets locked up with ransomware
because they can't access the medical records,
they can't access history.
And you may also see your surgery that was scheduled three months out get deferred because if I can't see the notes from the doctor, if I can't see your past images
and x-rays, I'm probably not comfortable performing that surgery. I think about my own situation and
my parents are getting older. They're in that category of elderly.
As someone who is looking out for them,
does it fall on me to keep a running backup of their medical information
so that if something happened with their healthcare providers,
I could walk in there with my own document and say,
here's the latest, here's the history, have at it?
Well, I don't think we're quite there yet,
but I think we're getting really close.
And I'll tell you, I've asked myself the same question
with some elderly relatives,
and I'm starting to think that's probably not a bad idea, right?
Where at the very least, if you've got someone,
I mean, let's face it,
some people's medical record is a book, right?
You know, having a printed copy of that is probably not a bad idea, I mean, let's face it. Some people's medical record is a book, right? Right.
Having a printed copy of that is probably not a bad idea because then at least you're not having to recreate all of that from scratch.
You're not going through their medicine cabinet, pulling out prescriptions and walking in the doctor's office with a bag full of them and saying, this is what was here.
I have no idea what they're actively taking.
Well, and let's put it this, let's put it another way, especially if you have someone that maybe has,
you know, a large number of pharmaceuticals at home, part of regular care regimen.
It's not a bad idea to have a copy of what their, you know, what their prescriptions are in their medical history, just with you anyway, in the event of an emergency. So I think that kind of age-old advice
just probably gets underscored a bit more here
now that we're in the realm
where a hospital can get locked up with ransomware.
Yeah, it really is a fascinating thing to think about
how you think about patient advocacy.
You know, you have to be your own advocate.
Well, that extends to this cyber side
of how hospitals run as well. You have to be prepared
that you may have to sort of fend for yourself if these records get locked up.
That's exactly right. And we're seeing patients make changes based on this.
25% of patients have changed their provider following a data breach, right? Now, obviously,
a ransomware incident where a whole institution goes down is going to be even more impactful.
The other thing we just need to be aware of as, you know, as CISOs and hospitals start to get
prepared is what happens if you have a system-wide impact? You know, if you're using the same systems
and tools, not across one hospital, but across five or 10 in a region,
then the potential impact becomes far more devastating.
All right. Well, it's good stuff to think about. Kayla Barlow, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Matt Cawthorn.
He's Vice President of Cybersecurity Engineering at ExtraHop.
He joins us with insights on the leading big cloud platforms
and perspective on their similarities and differences when it comes to securing your data.
If you were to consider, say, AWS versus an Azure,
If you were to consider, say, AWS versus an Azure, if you've got operational practices that are conducive to the Microsoft stack and Microsoft services like Active Directory, Office 365, and that whole application ecosystem, it might make a lot of sense for you to deploy there in Azure.
Comparatively, in the GCP sense, we see lots of retail there, frankly, because of competitive concerns with the big player. So we see lots of retail in GCP, and we also see lots of DevOps-y, agile,
container-centric folks deploying there as well. So from a raw functionality perspective,
they're very, very similar to one another at the end of the day. You know, taken collectively, they force some practice-level changes and think sort of paradigm
changes for the operations teams as they migrate apps up into the cloud.
Well, take us through some of that.
When folks are going through this process, what are some of the things that they have
to contend with?
It seems like a lifetime ago, but I came from a traditional data center application
delivery environment. We had globally distributed data centers and 90 remote sites here in the
domestic US. And federating a highly available, secure, and most importantly, an agile application
delivery ecosystem in that traditional setting
was very, very tough, disproportionately hard, I would say. I'll give you an example. It's very
difficult to be like a traditional router switch person. Let's just start with the lower level
network staff who keeps things up and running. It's very difficult to just superimpose that skill set and
that way of thinking into a cloud setting because the cloud constructs, as you know, everything is
now code and everything is software. And security is built as one of the foundational bricks that
was laid for all of these providers. So you can't neatly separate yourself from other operational concerns any longer.
In the old setting, in an enterprise, you have these operational silos and there's all sorts of coordination costs that goes along with that.
It's a very high latency information model, frankly.
And in the cloud, it forces you to break those barriers down. And now, you know, the person who sets up a virtual private cloud,
which is a segmented network in the cloud,
they can't separate that action with the subsequent security-centric actions
that go right along with that.
Yeah, I mean, it's a really interesting insight,
just the separation of the physical from the virtual.
You know, you can't, I'm imagining someone in the old days,
you know, saying,
hey, we've got a situation here.
I need you to go behind the rack
and start pulling power cables
out of routers.
You know, like you can't do that anymore.
That's right.
Yeah, you know, we were just last week,
we were all in Seattle
at corporate headquarters
and we were talking to a customer
who had this deploy
and destroy
paradigm in the cloud, where depending on workload and a business-level event, they were able to
deploy a massive amount of compute to address some market-level need, and then they would just
wipe it off the map when it was done. And if things don't work, if you need to make a change,
the map when it was done. And if things don't work, if you need to make a change, you can like redeploy a multi data center deployment with a network that stretches across them and all the
subnets and, you know, the infrastructure components therein, those can just go away and
get recreated on demand. And so it's a very, very different, again, the agility and just the low
latency of it all, of the infrastructure
itself. It just changes the game in ways that are good and bad, frankly. Well, let's dig into the
other side of it then. What are some of the potential traps that people have to be wary of?
Well, so this is fairly well-trodden territory. And so I'll admit to an utter lack of originality here, but, you know,
the shared responsibility model itself is something that I've seen personally with our accounts that
are sort of at some stage of their, it's a very dramatic term, but their cloud migration journey,
right? People are, everybody's got an initiative. And so one of the common things going back to the
traditional data center model that I spoke to, is just the shared responsibility model.
There's, you know, the security of the cloud, which is the service providers are going to be responsible for that.
You know, the bare metal, the physical access, their employees and who can access systems with least amount of privilege and things like that.
And then there's the security in the
cloud. And on the Venn diagram of operational concern, there is a gray area there in the middle.
And just wrapping your head around where your responsibilities stop and the providers start
or vice versa is really step one. Are there common things that you see?
The folks who are doing this well,
the folks who are running in a sophisticated and mature way,
are there things that they have in common with each other?
Yes, absolutely.
The number one, two, and three thing is automation and standard configs.
One of the beautiful things about the cloud, in my opinion,
is that they're very well understood
and battle-tested design patterns
that go along with very many
or even most infrastructures
or architectural designs.
In AWS, and they've all got their flavor of this,
but in AWS terms,
it's the well-architected framework.
They've got these design patterns
that they themselves embrace,
as well as the customers over the years have learned these lessons,
and they're very forthright about sharing that with the community.
It's very, very difficult to achieve that in a traditional data center setting.
But in the cloud, it's just there.
So the automation capabilities from a configuration and change management perspective, security incident management or incident response perspective, the game just is completely, completely different in a very good way.
And so the folks that embrace these new models of getting operational things done in a compliant, secure and agile way, they end up ahead of the curve.
compliant, secure, and agile way, they end up ahead of the curve.
Recently, all of the cloud providers, the big three, have announced either early access or have launched in generally available terms, native packet mirroring from their virtual switches.
And for vendors like us, this is a huge development because one of the last mile components of the visibility triad, which is logs, endpoint, and network, the last one for the cloud is the network.
And now it's this great enabler for network detection and incident response from the perspective of the network fabric itself.
That's Matt Cawthorn from ExtraHop. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. See you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.