CyberWire Daily - Content farmers and disinformation tactics. PhantomLance: quiet, selective, and apparently effective. Lawful intercept and contact-tracing apps. A look at the black market.
Episode Date: April 29, 2020Researchers see a coming shift in tactics used by Chinese “content farmers.” Amplifying disinformation through influencers and other agents of influence. PhantomLance is a quiet and selective Viet...namese cyber espionage campaign. Lawful intercept and contact tracing apps. And the black market for malware is surprisingly open, cheap, and attentive to its customers. Joe Carrigan from JHU ISI on cheating in online games, guest is Tonya Ugoretz from the FBI on engagement with public and private sector during COVID-19. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_29.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Researchers see a coming shift in tactics used by Chinese content farmers,
amplifying disinformation through influencers
and other agents of influence.
Phantom Lance is a quiet and selective
Vietnamese cyber espionage campaign,
lawful intercept and contact tracing apps.
Joe Kerrigan from Johns Hopkins on cheating and online games.
Our guest is Tanya Ugaretz from the FBI
on their engagement with both the public
and private sector during
COVID-19, and the black market for malware is surprisingly open, cheap, and attentive to its
customers. From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Wednesday, April 29, 2020.
A cyber espionage campaign Kaspersky calls Phantom Lance has been able to infiltrate Google Play,
and it appears to be the work of Vietnam's Ocean Lotus Group. Phantom Lance, whose masters appear interested in collecting both domestic and foreign influence, is relatively quiet. It
tailors itself to its targets, the better to avoid overloading them with noisy and unneeded
functionality.
It's also relatively selective in its choice of targets.
Since 2016, roughly 300 attempts have been observed, with most of the targets in India,
Vietnam, Bangladesh, and Indonesia.
Algeria, Iran, South Africa, Nepal, Myanmar, and Malaysia also figured on the list.
Recorded Futures' Insict Group reports that while Chinese influence operations have tended to
present a benign, well-intentioned face to the larger world, Beijing's elbows are a great deal
sharper when it comes to dealing with Hong Kong and Taiwan. Taiwan's relatively successful attempts to prevent mainland disinformation
from having any significant effect on the country's elections
can be expected to lead China's content farmers to look for more effective tactics.
These are likely to include an increased emphasis on cultivating local influencers
who could lend amplification and credibility to Beijing's line.
influencers who could lend amplification and credibility to Beijing's line.
That sort of amplification may be seen as well in Chinese disinformation efforts related to the COVID-19 pandemic. We've mentioned that CNN reported earlier this week that a U.S.
Army reservist who participated in last October's World Military Games in Wuhan
has been falsely identified as the source of infection.
The story began as Chinese government disinformation, but was subsequently picked up and distributed by a gaggle of YouTubers fascinated by bogus conspiracy theories.
The U.S. Army is providing the reservist with support against the attention.
Colonel Sunset R. Belinsky told the Army Times,
The Army is providing support to help Sergeant First Class Benassi with the public attention.
As a matter of policy, the Army would neither confirm nor deny any safety or security measures taken on behalf of an individual.
However, as we would with any soldier, the Army will work with the appropriate authorities to ensure that she and her family are properly protected.
to ensure that she and her family are properly protected.
End quote.
Vendors of lawful intercept tools, spyware in popular jargon and when misused,
are offering their products to governments as a quick approach to scaling COVID-19 contact tracing.
Israel-based Celebrite has, according to Reuters,
offered its products to police in India as an aid to tracking people who may have been exposed to infection.
Celebrite is best known for a tool that law enforcement agencies have used to gain access to iPhones in the course of criminal investigations.
Celebrite points out that it's long offered its product to law enforcement
and that it recommends that participation in such contact tracing should be voluntary.
The Israeli government is said to be working with NSO Group,
whose Pegasus intercept tool has gained notoriety,
to develop similar capabilities.
Cyprus-based Intellexa and New York-based Verint
have also offered their products to governments interested in contact tracing.
Observers suggest that surveillance tools of this kind
are too imprecise for contact tracing purposes.
For that to be done effectively, it would need to be able to determine proximity within 10 meters or less, and ideally within 2 meters.
Bluetooth-based apps may be able to do that, but the geolocation provided by surveillance tools are generally thought by critics to be too coarse for such purposes.
are generally thought by critics to be too coarse for such purposes.
The FBI has been playing an active role in the global response to COVID-19-inspired cybercrime through outreach and coordination with both the public and private sectors.
Tonya Ugaretz is Deputy Assistant Director in the FBI's Cyber Division.
I think if you look historically at the perception of the FBI,
Cyber Division. I think if you look historically at the perception of the FBI, there's the sense that we're slowly, methodically collecting evidence to hold in a vault until one day when
we could put handcuffs on someone. That's certainly always a goal to bring someone to that kind of
judicial outcome, but it's not the only goal. Really, our primary objective is to impose risk
and consequences on our cyber adversaries,
and we do that in a number of ways. And what we're doing during the COVID pandemic is one example.
A lot of what you all are up to these days involves partnering with organizations in both
the private sector and government as well. Can you give us some insights as to your activities there?
and government as well. Can you give us some insights as to your activities there?
Sure. So if you look at the array of departments and agencies, as well as organizations in the private sector that work against cyber threats, the FBI is really in a unique position, kind of
in the center of that ecosystem. That's in part because of our unique authorities focusing on not only criminal threats with cybercrime, but also national security threats that typically emanate from overseas as well.
With the private sector, the FBI is really unique in that we are a dispersed organization.
We have a headquarters element, of course, but our strength is really in our field offices,
which are 56
scattered throughout the country, as well as hundreds of satellite offices. And the personnel
in those offices are part of communities. So don't think about the typical image of the FBI agent
showing up in a raid jacket. Think about the person standing next to you on the sidelines of
a soccer game who you have relationships with, ideally before something bad happens.
And that's really the focus of our engagement, building those relationships before you need to call us in a crisis.
Yeah, it really strikes me, this effort on behalf of the FBI at outreach, really engaging, really, I guess, a recognition, embracing that
to fight these things, we all need to work together.
It's absolutely critical to what we do. And it's not just in the cyber program. I mean,
the FBI is really built on those relationships in communities. So the targets that we're most
concerned about protecting is the U.S. government
aren't under the control of the U.S. government. And two, with the growth and emergence of an
increasingly sophisticated commercial cybersecurity industry, the U.S. government doesn't have the
monopoly on information that can help us illuminate cyber threats. So it's critically important that we work with internet service providers,
commercial cybersecurity companies,
as well as the owners and operators of critical infrastructure.
We each have pieces of this puzzle,
and we really need to work together to most effectively thwart these attacks.
That's Tonya Ugaretz.
She's Deputy Assistant Director in the FBI's Cyber Division.
Some of the contact tracing apps seem to work as intended,
but voluntary participation remains well below what epidemiologists believe necessary.
Many of the Bluetooth-based contact tracing apps,
like those under development by Apple and Google,
are both voluntarily installed and decentralized.
Treating mobile devices as proxies for persons is, of course, imperfect.
Not everyone has a device, and not everyone who does carries it around with them.
But the simplifying assumption that the presence of a phone more or less equals the presence
of a person should still have considerable utility.
A study conducted at Oxford University estimated that to stop an epidemic, a population would
have to participate at rates of about 60%, although even lower levels of participation
could be expected to have a positive effect.
The Oxford researchers offer survey data they regard as encouraging.
They've collected feedback from over 6,000 potential app users in five countries, which suggests that 84.3% of users
would definitely or probably install a contact tracing app for coronavirus in the UK after
lockdown, and between 67.5 and 85.5% in France, Germany, Italy, and the USA.
But that seems for now to be over-optimistic. Even the success stories fall
below half the population, and in most cases they're lower than the 40% participation rate
the conversation says authorities in Australia, to take one example, would be happy with.
The Washington Post reports that most Americans are either unwilling or unable to use even the
relatively non-intrusive, voluntary, and decentralized contact tracing apps. A Washington Post-University of Maryland poll finds widespread
reluctance among Americans to install such an app and concludes that skepticism about big tech's
reliability as a steward of personal data forms the principal basis of that reluctance.
Finally, CyberNews has taken a look at the malware for
sale in dark web markets and
concludes that it's surprisingly affordable
and accessible. They looked at
10 such markets and evaluated them for
malware availability, cost of the tools
being sold, and availability of
customer support. They found
fairly capable tools selling for as little
as $50, complete
with updates and troubleshooting.
Still, buyer beware.
And kids, stay in school.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Visit src.com.com to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Also my co-host over on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
I want to talk today about online gaming.
And I know this is something that you spend some time doing.
I do, yes.
And of course, nobody likes a cheater.
No, I despise them.
I also despise people who are so good they might be cheating,
or I think they're cheating.
I see, where you cannot tell the difference. Their skills are such, yes, yes. The problem is my skills are so good they might be cheating, or I think they're cheating. I see. Where you cannot tell the difference, their skills are such.
Yes, yes.
The problem is my skills are so low that a really skilled player might look to me like
a cheater.
I don't know.
Well, this is a real problem for the folks who run these online games because cheaters,
they take advantage of the systems and it's not fair to the other people who are playing
the games.
And some of these games have things that can be traded for having real value.
So we actually have a couple stories today that have to do with cheating.
Why don't you walk us through these?
So the first one actually comes from Ars Technica,
and it's from a company called Riot Games.
And they have a game coming out called Valorant, V-A-L-O-R-A-N-T.
And they are putting in a kernel level driver that is designed
to be an anti-cheating system. Now, traditionally, these games operate on the user level of the
computer, which is higher up from the kernel level. You can think of the user level as the
highest level, right, where the least amount of damage can happen, and the kernel level as the
lowest level where the most amount of damage can happen, and the kernel level as the lowest level where the most amount of damage can happen.
Okay.
And that's really the concern here is that they are writing something that hooks into the kernel,
and if something is wrong with this piece of software, then a bug in this software that causes a failure could very well crash the machine,
give you a blue screen of death, as opposed to just
crashing an application at the user level, right? Which is, we see bugs in software all the time,
particularly on Windows, which has a much broader ecosystem of app developers. Microsoft doesn't
enforce like Apple does requirements and approval. So anybody can write an app or a program for Windows. And if that Windows app is
buggy, then it will crash. But fortunately, it doesn't touch the kernel, so it's fine. The
operating system keeps right on chugging, and the user experiences a minor inconvenience that is
caused solely by the application, and that inconvenience impacts only that application.
Right.
Now you're talking about putting something into the kernel,
which would not be so innocuous.
If something here fails,
then the entire kernel could very well fail,
which means you'll get that blue screen of death.
Additionally, if there is discovered in this device
or in this kernel driver, a buffer overflow exploit,
it could let an attacker install their own malicious code
at a very low level of
the operating system, essentially with administrator privileges. So the security concern here is that
a user installing this opens up that surface area at the very lowest levels of their system
for potential security issues. That's right. Now, on the other side of the argument, there is a
valid reason for doing this, right? Cheaters ruin the game experience for other players, and they devalue the game for the company, right?
Because if I get on there on a game and there's just a bunch of cheaters on there, I'm not playing that game.
That's no fun.
And cheating is something that has been going on in these video games for years.
And the video game companies try to handle these cheaters. And, of course, they give them something called the ban hammer, which is where they kick them out and they don't let them back in because once a cheater, always a cheater, they say.
I don't know how effective that is because it's very easy just to create another account and get back on there.
Unless you're in something like Steam where I have most of my assets for gaming are on Steam.
If I got banned, I would have to go out and buy the game again, right?
Now, do the folks who are cheating, are they generally running at the root level?
A lot of times they are.
They're running in the kernel level.
They're using cheat modes or cheat software that runs in the kernel space
so that the game software that detects cheating at the user space
can't really determine that it's cheating.
That's why they're going into the lower level here. I see. This is not something that's new
or unique. Fortnite does this. Ark Survival Evolved has a fully proactive kernel-based
protection system, as they call it. But everybody remembers the old Sony DRM debacle from 2005,
where Sony essentially installed a root kit on everybody's system.
Yeah, for digital rights management, for music, right?
I think this is significantly different.
Number one, they're telling you they're doing this.
Sony didn't tell you they were doing this, right?
Number two, they're doing this because they're trying to protect the playing experience for
the vast majority of the users, not because they're trying to protect their intellectual
property.
I don't think that's what's going on here. I think this is really,
the mission here is really to protect the user experience. Riot is working with application
security teams. They've had this thing evaluated by three different security evaluators, and they
also have a bug bounty program. So hopefully if there is a bug that's found, they'll quickly know
about it and then they can handle it.
Well, let's move on to the second story here, which is a little more lighthearted.
And I have to say I got a kick out of another way that some of these game providers are dealing with cheaters.
Right. Now this is from Infinity Ward and Activision, who are the makers of Call of Duty, Modern Warfare, and Warzone.
are the makers of Call of Duty, Modern Warfare, and Warzone. And what they're doing is they also have what they proudly proclaim is a zero tolerance policy towards cheating. And they have
banned 50,000 cheaters in a month, which is a lot of cheaters. One of the things they're doing now
is they're finding people who they suspect of cheating, and they're putting them all in the
same game with each other. They're taking these guys, and they're putting them all in the same game with each other.
They're taking these guys,
and they're removing them from my game and putting them all into their own game,
which will frustrate them to no end as well.
So it benefits me, and it frustrates them,
which is great, I think.
It's a good solution.
Kind of quarantines them all together,
give them their own,
let them shoot at each other all day long
with their cheats.
Yeah, yeah.
All right.
Well, interesting cat and mouse game for sure.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.