CyberWire Daily - EvilQuest ransomware identified. Out-of-band patches. The scope of Chinese surveillance of Uighurs. Hong Kong and the National Security Law. FCC finds against Huawei, ZTE.
Episode Date: July 1, 2020EvilQuest ransomware found in pirated versions of Little Snitch app. Out-of-band patches from Microsoft and Oracle. Extensive Chinese surveillance of Uighurs described. Hong Kong and the world react t...o China’s new National Security Law. The US FCC finds both Huawei and ZTE are threats to national security. Joe Carrigan on password stealers that target gaming. Our guest is Kiersten Todt from the Cyber Readiness Institute on how COVID-19 has changed small business security and what to expect going forward. And Britain rethinks its position on Huawei and 5G infrastructure. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/127 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. the little snitch app, out-of-band patches for Microsoft and Oracle, extensive Chinese
surveillance of Uyghurs has been described, Hong Kong and the world react to China's new
national security law, the USFCC finds both Huawei and ZTE are threats to national security,
Joe Kerrigan on password stealers that target gaming, our guest is Kirsten Todd from the
Cyber Readiness Institute on how COVID-19 has changed small business security and what to expect going forward.
And Britain rethinks its position on Huawei and 5G infrastructure.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 1st, 2020.
Dave Bittner with your CyberWire summary for Wednesday, July 1st, 2020.
Researchers at Malwarebytes have discovered a strain of ransomware, EvilQuest,
that's afflicting Mac systems through a malicious version of the legitimate LittleSnitch software.
They first found EvilQuest in a pirated copy of LittleSnitch that was being hawked with torrent links on a Russian-language forum.
The malicious version has a package installer file, which, of course, the legitimate app doesn't.
HelpNet Security, which has been talking to researchers at Jamf,
note that the absence of some of the usual instructions on how to pay the ransom
suggests that EvilQuest might actually amount to a smokescreen for some other activity.
It's a developing story, but for now it's safest to take EvilQuest might actually amount to a smokescreen for some other activity. It's a developing story, but for now, it's safest to take EvilQuest at its word,
consider it ransomware, and, as Malwarebytes advises,
keep a good offline backup of your files.
Microsoft issued two out-of-band patches yesterday
to address remote code execution vulnerabilities
in Windows 10 and Windows Server 2019, ZDNet reports.
Redmond wasn't the only place vendors got busy with quick patches.
Mozilla released Firefox 78 yesterday,
but then stopped the rollout when it was discovered
that the new version came with several search issues.
Leaping Computer says Mozilla made a fix available this morning.
Turning to the rest of the cybersecurity news, which today is dominated by news about China.
Chinese government surveillance of its predominantly Muslim Uyghur minority
was apparently both more extensive and began earlier than generally appreciated,
the New York Times reports.
Researchers at the San Francisco-based security firm Lookout today published the results of their study of the campaign, and they've determined that the intrusive monitoring began at least in 2013 and wasn't confined to domestic targets, but extended to the Uyghur diaspora worldwide.
Lookout determined that installation of various forms of spyware in Android phones used by the targets was the beginning of a comprehensive surveillance effort that eventually extended to collecting blood samples,
voice prints, facial scans, and other personal data.
They found connections among eight strains of malware they investigated.
The campaign was of course concentrated in the western region of Xinjiang, where most Uyghurs live.
The New York Times observes, without apparent irony, that the measures transformed the region into a virtual police state.
But it was unrelenting in its pursuit of Uyghurs who went abroad, either permanently or temporarily,
as many as 14 other countries may have been affected.
The malware was tied to Uyghur language keyboards
and for the most part consisted of Trojanized versions of otherwise legitimate apps,
likely to be attractive to Uyghur users. Authorities eventually took steps to ensure
that the targets of their surveillance kept their infected phones. Having a second phone,
using an outmoded and thus presumably uninfected phone, dumping a phone for no good reason, or not having a phone at all,
could get you confined to a detention camp.
The campaign has been run by the Chinese threat group
variously known as Vixen Panda, APT-15, Kichang, Mirage, or Playful Dragon.
They paid some attention to Tibetan, but their central focus was always on
the Uyghurs. Lookout acknowledges the theoretical possibility that the surveillance campaign was
actually the work of patriotic hacktivists acting in the spirit of Beijing, although not actually
under immediate government direction, but come on, they conclude, that theoretical possibility
is pretty unlikely.
Beijing's new national security law, enacted principally, although not exclusively, with Hong Kong in mind,
has moved residents of the formerly semi-autonomous city to begin doing whatever they can to reduce their online traces before full enforcement is complete, according to the Nikkei Asian Review.
While justified in terms of restoring
stability and prosperity to Hong Kong, the new law has a global reach. Quartz claims that it
criminalizes any criticism of the Chinese Communist Party anywhere, by anyone, Chinese or foreign
national. Politico says the European Union has begun considering a coordinated response to the
new law.
The UK has decided to take a direct and immediate step to help Hong Kongers caught by what London calls a clear violation of the agreement under which Hong Kong was returned to Chinese sovereignty 23 years ago today.
The South China Morning Post has confirmed that more than 3 million citizens of Hong Kong will be offered British national passports. The passports would give the holders the right to settle in the UK for five
years, at which point they would receive settled status and be able to apply for citizenship.
One of the lasting effects of the COVID-19 global pandemic is an ongoing sense of uncertainty.
No one is immune, and it's made planning
particularly challenging for small businesses. Kirsten Tott is Managing Director of the Cyber
Readiness Institute, and she shares her insights on how COVID-19 has changed small business security.
The Cyber Readiness Institute was founded in 2017. In 2016, I served as the executive director of President Obama's
Commission on Enhancing National Cybersecurity. And toward the end of that commission,
several of the commissioners and I got together to talk through how to continue
the efforts by focusing on issues that we still feel and felt needed to have more resources and
time focused on them, and specifically small business cybersecurity.
As you look toward the future,
what sort of environment do you suppose we're going to find ourselves in?
Are you hopeful that we're going to do a better job with this as we move forward?
I think it's a very interesting question
because we've been very focused on how to address the pandemic world and the remote workforce, all of these issues that are surrounding it.
And when we've talked about going to the new normal, we've often talked a lot about what it means to take the lessons of these last two months.
months. But I think as we're listening to how companies are starting to think about moving back to the new normal, which is really moving forward to the new normal, we know that especially in 2020,
very few companies will be bringing their whole workforce back into the office. I think, you know,
I'll be surprised truly if any large company does. Already, we've heard from the tech companies,
larger companies are talking about the fall
bringing back 25% of the workforce. So to me, what that means is that the new normal, the new
moving forward is going to be a hybrid of both a remote workforce and bringing back to the physical
workspace. And that in itself comes with new challenges, because while securing an entirely
remote workforce is difficult,
there is a consistency about that. But if you're split between physical infrastructure and
everyone's remote homework infrastructure, and there's a balance and there's a rotation,
there is a lot of opportunity for inconsistencies. And so I think the thing we need to be thinking
about from a cybersecurity perspective is how to secure the hybrid workforce as we look into the
future. So for the folks who are professionals in the cybersecurity realm, what can they do?
How do they help spread the word about the types of efforts that you're undertaking here?
So one of the things that we offer, all of our tools, as I mentioned earlier, are free. And so if you go on to our website, which is bcyberready.com, you can register for the program, but you also have access to the documents.
We've been in touch with a lot of global organizations, the United Nations, the World Economic Forum, the Universal Postal Union and others.
And we're just encouraging them to send our content to their stakeholders.
And we're just encouraging them to send our content to their stakeholders.
Again, our objective is not to require small businesses to buy anything, but to truly invest in the workforce. Because at the end of the day, cybersecurity is grounded in human behavior.
Human behavior can be a force multiplier for security, or it can be one of the most dangerous vulnerabilities in an organization.
That's Kirsten Tott from the Cyber Readiness Institute.
in an organization. That's Kirsten Tott from the Cyber Readiness Institute.
The U.S. Federal Communications Commission has formally designated both Huawei and ZTE as threats to the U.S. national security. The FCC decision will, as Reuters and others point out, prevent U.S.
carriers from using money from the Universal Service Fund, which controls $8.2 billion,
to purchase equipment from either company.
The FCC also said that Congress would need to appropriate funds
to compensate companies who now will have to rip and replace gear
from the two Chinese manufacturers.
Rural telecom carriers are most affected by the decision.
And U.S. sanctions in general are changing the cost-benefit calculations of prospective Huawei users in other countries as well.
The BBC reports that the British government is rethinking its own mildly restrictive, mildly permissive approach to allowing Chinese companies to participate in the U.K.'s 5G infrastructure.
The U.S. sanctions that forbid Huawei and its third-party suppliers from using U.S. technology and software to manufacture their goods are well designed to pressure countries that use HuaweiKit to revise their permissions.
British Defense Secretary Ben Wallace called the U.S. measures, which come into full effect in September, a better set of sanctions than the earlier set. They're specifically clearly designed in a smarter
way to put countries that have high-risk vendors, specifically Huawei, under greater pressure.
In any case, the UK and other countries are taking a noticeably harder line toward Huawei
in particular. British authorities see the current situation in which the alternatives
to the Chinese vendor are Ericsson and Nokia as a market failure.
They're supporting the entry of Samsung and NEC into the market
to diversify the supply chain.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with
purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host over on the Hacking Humans podcast.
Joe, great to have you back. Hi, Dave.
During this time of pandemic, when folks are spending a lot more time at home,
that means that for a lot of people, they're spending a lot more time online playing games.
Now, you're a bit of a gamer, aren't you, Joe? Yes, I've been playing a lot of Fortnite, Dave. Okay. And a little bit of PUBG, but mostly Fortnite. All right. Well, I suspect you're not
alone there. We had an interesting article come by, and this is reporting that Kaspersky has been
reviewing some password stealers that's targeting gamers. What's going on here, Joe? What's happening
is they're somehow getting these Trojans,
these malicious actors are getting these Trojans onto users' machines,
and then they're targeting these gaming platforms like Battle.net, Origin, and Uplay
in attempts of stealing session cookies or session tokens,
not really cookies because it's not a web browser.
But if I can steal someone's session token,
that doesn't give me their username and password,
but it does let me essentially connect as them,
and then I can transfer valuable in-game items out to myself
if the platform allows that.
This was a problem years ago with World of Warcraft.
Do you remember, did you ever play World of Warcraft?
I did not, but I'm certainly
from, or know of the game. Right. I was never a big player of that game. Actually, I never did
play it. I didn't care for it. But the idea was you would collect all these amazing items,
but if someone got into your account, they could just transfer those items to themselves
and then sell them for money later. And there was an entire black market around that.
There may still be, I don't know. I don't know if people still play the game, but some of these
Trojans actually don't just go after your gaming data. Some of them will sit there silently and
wait until you start connecting to certain websites. And when you visit that website,
the malware will activate and start gathering data, essentially just being a key logger on the website so they can collect your username and password information.
They note also that they may be going after credit card information as well.
Yeah, they're going after credit card and banking information with these Trojans.
I don't know how much at risk you are for credit card losses here. I mean, I think that's probably a minimal risk to the user.
Unless you have a debit card, that can be a little bit more devastating.
But if you can get a credit card, I recommend using a credit card for any online transactions.
Because that's not your money.
And if you file a purchase as being fraudulent, then you're not out of anything.
Whereas with a debit card, you can be out up to $50.
And it may take some time for
you to get your money back. Yeah. What are they recommending here in terms of protecting yourself
if you're a gamer? Well, there is one thing that you should always do, and that is set up two-factor
authentication, right? Even if your login, your username and password have been stolen,
they will not be able to access your account if you have two-factor authentication on. And we talk about that frequently with the various forms of two-factor
authentication are, but any form of two-factor authentication is a lot better than no two-factor
authentication. Just do it. It's great. Only download gaming modifications from trusted
sources. Apparently that's where some of these are coming from, these mods. You can get mods everywhere.
I know that Steam actually will publish mods for their games.
You can actually write a mod for a game and then publish it on Steam,
and then Steam vets it, and then you can download it.
We actually did this.
My daughter's fiancé did this with a Civ mod that just made the game
completely noncompetitive, but it was his this with a sieve mod that just made the game completely non-competitive,
but it was his experimentation with a mod and it was available on steam and
we could,
we could download it.
Reminds me of the fast shoot version of Galaga.
Right?
Yes.
My favorite mod.
That's,
that was a great mod.
I remember that one.
It was just,
yeah.
Wipe everything out in a couple of seconds.
Yeah.
They say use a reliable security solution.
And, of course, because this is from Kaspersky,
they say Kaspersky Security Cloud is a great solution.
But there are tons of other security solutions out there.
And I'm not saying that you shouldn't use Kaspersky,
but just understand this is a Kaspersky article.
But there are lots of services out there.
One of the things they note here is that their product has a gaming mode because a lot of times games will do things,
like particularly when they're using their anti-cheat software, they'll do things that look malicious.
So your antivirus software may flag it as malicious and may stop it from happening.
But Kaspersky says don't turn it off.
Don't turn off the security when you're playing a game. Their product has a gaming mode that reduces CPU load.
So if you're playing on a PC, you may be playing where every processor operation counts, right?
Right, right.
So turning off that antivirus may seem like an attractive idea, but don't do it. Use an antivirus
that has a gaming
mode that just reduces the load. The advantage is you're not really doing much else other than
playing a game at the time. So there's not a lot of stuff going on. Yeah. All right. Well,
good advice if you're someone out there who's spending some more time gaming during all this
to help you get through it. Some words of warning here to make sure that you're not being
targeted. Absolutely. All right. Well, Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.