CyberWire Daily - Huawei CFO arrested in Canada, faces extradition to US. Anonymous claims that Chinese intelligence hacked Marriott. Russian hospital phished. SamSam indictments, warnings. Facebook agonistes.
Episode Date: December 6, 2018In today’s podcast, we hear that Huawei’s CFO was arrested in Vancouver on a US sanctions beef. Anonymous sources tell Reuters Chinese intelligence was behind the Marriott hack. A Flash zero-day i...s used in an attack against a Russian hospital. SamSam warnings and new US indictments. In the UK, Parliament releases internal Facebook emails that suggest discreditable data-use practices. Facebook says the emails are being taken out of context. And DDoS downs Illinois homework. Dr. Charles Clancy from VA Tech’s Hume Center on the ban of specific 5G hardware around the world. Guest is Tom Bonner from Cylance on the SpyRATs of Ocean Lotus. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Huawei's CFO is arrested in Vancouver on a U.S. sanctions beef.
Anonymous sources tell Reuters Chinese intelligence was behind the Marriott hack.
A flash zero day is used in an attack
against a Russian hospital.
SamSam warnings and new U.S. indictments.
In the U.K., Parliament releases
internal Facebook emails that suggest
discreditable data use practices.
Facebook says the emails are being taken out of context.
And DDoS downs Illinois homework.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 6, 2018.
Canadian authorities detained Huawei's CFO Meng Wanzhou in Vancouver yesterday at the request of the U.S. Justice Department.
U.S. prosecutors want Ms. Meng extradited to face charges
related to alleged violations of sanctions against Iran.
Huawei has been under suspicion of trading with Iran
in violation of international sanctions imposed on the Islamic Republic
to inhibit that country's ambition to acquire nuclear weapons.
In the U.S., those suspicions go back to at least 2016,
when the U.S. Commerce Department was investigating Huawei's smaller rival ZTE for sanctions violations.
The penalties the U.S. subsequently imposed on ZTE brought that company to the brink
of failure. During that inquiry, commerce investigators found internal ZTE documents
that showed ZTE was studying another company's ways of evading sanctions. That other company,
named only as F7, is now believed, the Wall Street Journal reports, to have been Huawei.
is now believed, the Wall Street Journal reports, to have been Huawei.
The daughter of Huawei's founder, Ren Shenfei, Meng Wanzhou has come to be regarded as the face of the company.
The arrest apparently triggered a stock sell-off in European markets,
which dropped to a two-year low after the arrest was announced.
Huawei has for some time been under suspicion of collecting on behalf of China's intelligence services,
which is why Australia, the US and New Zealand have moved to exclude the company's products from forthcoming mobile networks.
In the UK, the head of MI6 used the occasion of a rare speech to strongly caution against allowing Huawei to expand its presence in British networks. And the country's largest telecom provider, BT,
this week announced that it would jettison its Huawei-produced equipment. With the arrest in
Vancouver, all of the Five Eyes have now taken certain measures against Huawei.
How the collar will affect the Sino-American 90-day trade war truce is unclear, but there
are few indications of relaxation in either
Chinese industrial espionage or American lawfare. In a development announced in a Reuters exclusive,
there are now suspicions that the Chinese government may have been behind the Marriott
breach. The long-term, quiet presence of hackers in the hotel chain's networks,
as well as the apparent absence of criminal exploitation of the
data that were stolen, prompted early speculation that a state intelligence service was behind the
data breach. Reuters says now that private investigators attribute the Marriott data
breach to Chinese intelligence services. Anonymous sources, anonymous because they
weren't authorized to talk, told the news service that investigators found
hacking tools, techniques, and procedures
previously linked to China's government.
This evidence is, of course, both anonymously sourced
and also circumstantial
and should be treated with appropriate caution.
Hacking tools are both shared and stolen,
and techniques and procedures can be mimicked.
For a cautionary tale of murky attribution, consider the reservations Microsoft researchers
expressed early this week about last month's claims that Russia's Cozy Bear was behind
a phishing campaign that afflicted the U.S. State Department and various think tanks.
So, the Marriott story is still developing.
Researchers at security firm Cylance recently published a report titled
The Spy Rats of Ocean Lotus, describing a series of back doors
and the command and control servers used to service them.
Tom Bonner is director of threat research at Cylance.
So this was uncovered during an incident response investigation.
We started to receive a few remote access Trojans related to this case.
And pulling them apart, it quickly became apparent that it aligned nicely with Ocean Lotus APT32 tactics.
And from there, we started to investigate further, see what other malware and remote access
traditions we could uncover. And in the end, I believe we ended up with a list of about 120
different samples. So we've mapped those out and the key sort of malware families
underpinning the Ocean Lotus attacks. The process initially started with IR.
They were conducting an investigation for a particular company, found an interesting
sample that they couldn't get to really load or run properly.
So that sort of landed within threat research to take a closer look at.
It turned out actually to be a new backdoor from APT32 Group.
Very interesting.
We've named this one uh roland basically it comes sort
of highly obfuscated encrypted if you will although the key's obviously sent with it so
it's quite trivial to to decrypt that um but then the loader process is a little bit complex
and after that it sort of loads a payload into memory that then starts communicating back to the attacker.
And that allows the attacker to run remote commands on an infected system.
And for this particular backdoor, it's got a very comprehensive set of commands.
So you can do anything from viewing system information, viewing files, or uploading and executing files,
even to sort of unpacking
RAR archives. They've got their own custom archive formats.
And in terms of communicating with the command and control server, what's going on there?
This one's using a custom TCP-based communications channel. So if we go over the sort of family of rats that we found, or families, I should say, Roland was performing command and control communications using custom TCP sockets. There was another backdoor called Remy, and that was using HTTP. Another remote access trojan called Splinter, that was again using sort of custom C2
with TCP sockets. Another remote access version called Rizzo, and this was using ICMP, so sort of
ping packets, basically. And then another one which has been well documented by other vendors
called Dennis, which is using DNS tunneling to perform its communications.
Now, in terms of people protecting themselves against this, what are your recommendations?
I mean, really sort of a layered approach. So, I mean, on the endpoint, your antivirus EDR software
is going to be a big help. You know, for larger organizations, I would certainly recommend having monitoring at egress points
on the network, certainly to look for things like DNS tunneling and a lot of the CT communications.
But really, you know, as usual, the multi-layered approach often works best.
That's Tom Bonner from Cylance. The report is titled The Spy Rats of Ocean Lotus.
You can find it on the Cylance website.
The report is titled The Spy Rats of Ocean Lotus. You can find it on the Cylance website.
A Flash Zero Day was used to attack a Russian hospital.
The malware was carried in a Microsoft Office document attached to an email.
Office is one of the remaining channels through which the widely deprecated Flash software can be distributed in malicious form.
The Russian language document represented itself as an application for a job at the targeted hospital.
Who was responsible for the attack is unclear,
but informed speculation holds it was probably
either a Ukrainian or a Russian operation.
The zero-day was submitted to VirusTotal
from a Ukrainian IP address,
which could mean either a Ukrainian author
or a Ukrainian discoverer.
If the attacker was Russian, the incident would in all likelihood be either ordinary crime
or a state-directed provocation. Some observers think it likely the attack was mounted from
Ukraine, either by criminals, hacktivists, or state security services, and that it represented
retaliation for the Kerch Strait incident
in which Russian units seized three Ukrainian naval vessels.
If it's a state attack, the choice of target is questionable.
There may not be many formal international agreements governing cyber war,
but if the existing laws of armed conflict are any guide, hospitals ought to be off-limits.
armed conflict are any guide, hospitals ought to be off-limits.
A U.S. federal grand jury in Atlanta has brought additional charges against the two Iranian men previously indicted for the deployment of SAMSAM ransomware. The new charges specifically address
the attack on the city of Atlanta. The two accused remain at large, and they're of course
not SAMSAM's only possible controllers. The FBI and U.S. Department of Homeland Security warn
that SAMSAM is being actively deployed against critical infrastructure targets, including utilities.
The British Parliament's inquiry into Facebook's data handling and commercial practices
continues to bring bad news for the social network.
Internal emails look particularly bad.
Parliament took these from a third party, 643,
that received them in discovery during a bikini-related litigation with Facebook.
The emails appear to show that Facebook established a whitelisting program
in which they would offer selected customers access to information about users' friends
that's friends in the Facebook term of art sense
through an API.
It's unclear that users were informed that their data might be used in this way.
There's also an anti-competitive aspect to this
or at least that's the way Parliament's Committee on Culture, Media and Sport
the group that's investigating, sees it.
It appears to them that Facebook excluded potential competitors from the white list. Facebook founder and CEO Mark
Zuckerberg has replied with denials that Facebook ever sold user data. He also points to work he
says the company has done to exclude shady apps from interacting with its platform, and he suggests that the emails, for the most part,
represent pre-decisional internal discussions.
The social network has said Parliament cherry-picked the emails it released,
and that if they were considered in proper context,
they wouldn't look bad at all.
Finally, we sometimes have occasion to think about
how deep and enduring aspects of American culture manifest themselves in cyberspace.
One such cultural strain, a deeply ingrained laziness that moves Americans to expend a great deal of time, effort, and sweat,
if doing so promises to get them out of doing something they'd rather not do, is on display in the state of Illinois this week.
A high school student in the central Illinois town of Mount Zion was arrested and told to
appear in court to face charges of computer tampering. Mount Zion police say the unnamed
student conducted three distributed denial of service attacks against the school district's
network on November 20th, 26th, and 27th.
The goal of the DDoS campaign was to disrupt the school's online homework system.
Whether the 18-year-old was doing it for the lulz, or really just didn't want to turn in
a worksheet on the judicial system or some other assignment, we don't know.
But we do know this.
Kids, stay in school. And turning your
homework in shouldn't become a matter for the police. Join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Dr. Charles Clancy. He's the executive director of the Hume Center
for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. We saw a story come by on ZDNet.
This was written by Chris Duckett, and the title was 5G Stakes Couldn't Be Higher,
So We Advised Huawei Ban. And this is the Australia's signal directorate.
What's going on here? What are they concerned about?
So there's been global concern, certainly from within the United States, but also in much of the rest of the world,
that as 4G networks have been built out and now as 5G is coming online, that the supply chain for this is limited in that there's only a handful of major vendors who are providing equipment.
You essentially have a couple vendors in Europe, and then you have Huawei out of China. And with increasing cybersecurity concerns around Huawei,
the world is trying to figure out how it wants to work with Huawei
or doesn't want to work with Huawei when it comes to 5G.
And the concern here is that Huawei has too close of a relationship with the Chinese government?
Exactly.
And that sort of two facets there.
One is that Huawei may have hidden back doors in the equipment that would allow Chinese intelligence and military services to remotely access it.
Or even more directly, the fact that many countries lack the technical knowledge needed to operate their own telecommunications infrastructure
and frequently will end up in a services relationship with Huawei,
where Huawei not only provides the equipment, but also operates the equipment on behalf of the country.
Now, one thing that the article points out here is this notion that these networks have a core and an edge
and that that difference is being diminished with 5G. Can you explain to us what are we talking about with an edge and a core and an edge, and that that difference is being diminished with 5G.
Can you explain to us, what are we talking about with an edge and a core, and how is that evolving?
So within the early cellular networks, and in fact all the way up through 4G,
you had a very well-defined logical network.
You had a core network that was responsible for subscriber data and call records
and call routing. You had a kind of the intermediate network, which was the cell towers themselves.
The cell towers represented the edge of the carrier network. And then the edge network
continued from there, which connected all the way to your handset. So you have your handset on one end, the cell phones themselves, which are the property of the consumers. You have the cell
tower in the middle, and then you have the core network, which needs to be protected.
And as we saw with the legislation and regulatory activity here in the United States,
when a Huawei and ZTE ban was proposed by Congress last year, ultimately
that language was modified to essentially say that it's okay to still use Huawei phones,
but you shouldn't use Huawei routers in the core of your network.
So the argument over the last year has really been that many countries are taking the position
that in the core of the network, we definitely don't want any Huawei equipment.
But on the edge of the network, for example, low-cost handsets, it may be okay to have Huawei devices because the impact to national security is lower.
However, the Australians are making the case that the edge of the network is starting to disappear in 5G.
And in fact, the 5G core network really is just a collection of
services that live in the cloud. And so certainly there are cell sites that are responsible to
connect phones to the network, but the strong physical linkages, the individual boxes in a
network map are vanishing and turning into essentially apps running in the cloud.
So I think it's an interesting point that it's harder to make that differentiation.
But I think at the end of the day, what many of the carriers are going to care about is
essentially whether or not they can use Huawei cell phones, because Huawei cell phones are
an inexpensive option that allow a much broader population to be able to afford smartphones.
All right. Dr. Charles Clancy, thanks for joining us.
Thanks a lot.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.