CyberWire Daily - Huawei gets a RICO prosecution. Details on DPRK Hidden Cobra Trojans. Google takes down Chrome malvertising network. Run DNC. Hacker madness. Happy St. Valentine’s Day.
Episode Date: February 14, 2020The US indicts Huawei for racketeering. The FBI and CISA release details on malware used by North Korea’s Hidden Cobra. Iran attributes last week’s DDoS attack to the US. Google takes down a big m...alvertising and click-fraud network that exploited Chrome extensions. Reports surface of DNC involvement in IowaReporterApp. Not all official advice is necessarily good advice. And if things don’t work out with your object of affection, don’t spy on their social media accounts, OK? Craig Williams from Cisco Talos with updates on JhoneRAT. Guest is Shuvo Chatterjee from Google on their Advanced Protection Program (APP). For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. indicts Huawei for racketeering.
The FBI and CISA release details on malware used by North Korea's hidden cobra.
Iran attributes last week's DDoS attack to the U.S.
Google takes down a big malvertising and click fraud network that exploited Chrome extensions.
Reports surface of DNC involvement in Iowa reporter app.
Not all official advice is necessarily good advice.
And if things don't work out with your object of affection,
don't spy on their social media accounts.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 14th, 2020.
First, a happy St. Valentine's Day to lovebirds everywhere.
First, a happy St. Valentine's Day to lovebirds everywhere.
We trust you're shopping safely for candy and flowers and that you're sending your love letters by secure means.
Good for you, because what the world needs now is love. Sweet love.
Of course, it's not all hearts and flowers everywhere, and lately especially not in Shenzhen and Washington. The U.S. Justice Department has sent a new mash note to Huawei
in the form of a 16-count superseding RICO indictment against Huawei.
TechCrunch calls the 16-charge indictment sprawling.
RICO is the acronym by which the Racketeering Influenced and Corrupt Actions Act
is commonly known in the U.S.
It's a federal statute that dates to 1970
and that has been used
extensively in mob prosecutions. The U.S. alleges a decade-long conspiracy to steal the intellectual
property of U.S. firms. The defendants include many Huawei companies and subsidiaries, as well
as Wanzhou Meng. Miss Meng, you'll recall, is the the company's cfo who's currently in vancouver
british columbia fighting extradition to the u.s the department of justice says it's found
decades-long efforts by huawei and several of its subsidiaries both in the u.s and in the people's
republic of china to misappropriate intellectual property including from six u.s technology
companies in an effort to grow and operate Huawei's business.
Huawei calls the charges baseless and another move by the U.S. to irrevocably damage the company.
The company says it expects to prevail in court.
Lawfare points out that Huawei has shifted its position a bit on the Wall Street Journal's report that the company's devices were backdoored.
shifted its position a bit on the Wall Street Journal's report that the company's devices were backdoored.
They've moved from saying we can't intercept traffic to we could intercept traffic, but someone would notice if we did.
The FBI and CISA have released malware analysis reports detailing malware used by North Korea's hidden Cobra,
according to Bleeping Computer. The malware strains included in the report are Bistromath, Slick Shoes, Crowded Flounder, Hot Croissant, Artful Pie, Buffet Line, and Hoplite.
All of them are Trojans.
Iran, which had been slow to attribute blame for last weekend's distributed denial-of-service attack,
has now decided to call the incident an American operation, Tasnim reports.
How Tehran knows it was Washington isn't specified.
The official statements emphasize the success of Iran's cyber defenses.
Researchers at Cisco's Duo worked with Google to help Mountain View take down more than 500 malicious extensions from its store.
The bad Chrome extensions were part of an extensive malvertising and click fraud network. Members of the Iowa Democratic Party have dropped a dime on the national organization
over the badly botched implementation of the Iowa Reporter app during last week's caucus.
Yahoo News received a copy of the contract between Shadow Incorporated and the Iowa Party
that required Shadow to deliver its code to the Democratic National Committee for testing.
Yahoo also obtained emails that seemed to indicate that senior DNC officials
were involved in drafting the contract.
The DNC disputes any inference that it was involved in developing the app.
Their involvement, a spokesperson says, was confined to an offer of security assistance.
Not all official advice, alas, is always useful or sometimes even well-informed. Consider,
if you will, a poster being circulated in the UK to advise British parents on how to see whether
their little nippers are staying safe online. The West Midlands Regional Organized Crime Unit's poster says
that if you see Tor, Kali Linux, Discord, Metasploit,
or a virtual machine on your child's device,
you should call the cops.
Register says the poster is all bollocks,
which we're not sure is a bad word or not,
but at any rate, we think means hogwash or baloney or something like that.
At any rate, the WMROCU says that if you find any of these signs of children hacking,
let them know so they can engage them into positive diversions.
And positive diversions are exactly what the youth of Birmingham need.
So the poster is a bit like a minor version of a digital age reefer madness.
The UK's National Crime Authority, whose logo appears on the poster,
tweeted its own displeasure, quote,
The NCA was not involved in the production or release of this poster.
There are many tools which tech-savvy children use,
some of which can be used for both legal and illegal purposes,
so it is vital that parents and children know how these tools can be used safely. End quote.
And finally, to return to a St. Valentine's Day theme, let us all remember not to go crazy if things don't work out romance-wise. Sometimes they don't. Sometimes, well, they're just not that into
you. To stay with the mother country for a bit, the Mirror reports to the UK's shame
that almost one in five Brits, as the Mirror calls them, have logged on to their ex's social media
accounts to keep tabs on them. To this we can only say, how dare you, sir? For shame, madam.
Just let it go. And if you live in the West Midlands and you feel yourself moved to snoop on the one that got away,
well, just call the WMROCU and ask them to help you engage into positive diversions.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, it's always great to have you back.
You all recently published some information up on the Talos blog about ZonRat,
which is a cloud-based rat that you all are tracking.
Take us through what you're looking at here.
Well, so this is actually one of the more interesting rats we see. I wouldn't say the methodology is unique, but it is reasonably rare still. But it's one of those rats that basically uses the cloud
to distribute itself. You know, it uses Google Docs and things like that. But it actually
checks the keyboard layout of victims before the installation path continues, which, you know,
it's not rare, but it is not something you see every single day.
And especially when you take into account the fact that this targeted basically only keyboard layouts in the Middle East,
it did make it pop up on our radar as something to look into.
So just for background, what is the purpose of something like this looking at keyboard layouts?
Well, so if you're a bad guy and maybe for whatever reason you only want to target users in a certain region,
so we'll see this kind of technique deployed if they want to target, let's say, utility providers in a certain country.
Maybe they just want billing accounts for, I don't know, let's say a Middle Eastern utility or Middle Eastern banks
or even something as simple and mundane as like cable providers.
Right. Lots of different things the adversaries can target and they may actually be combining different sources of intel.
Right. So maybe they want credentials for a certain Internet provider because they have the ability to go into that site and attempt those passwords without being detected.
So they assume that if they can
compromise those accounts, they'll go completely undetected. And alternatively, maybe they want
to target banks because they believe that they found a vulnerability in the way that the banking
system is laid out or whatever. So it's not unusual to see this type of activity, but seeing it so
specifically targeted in the Middle East is definitely something that made it pop up on our
radar. And so reading between the lines then, what does that tell you about what they're after here?
Well, in this case, we don't have any exact information on what they're after.
You know, obviously they wanted to get systems in the Middle East,
specifically in Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, and countries around there.
But we don't know specifically from those countries what they want.
And so that's why it's kind of one of those situations
where there's a lot of possibilities
and there are bounds on those possibilities,
but it's still kind of a gray area
as to exactly what the attacker's eventual plan will be.
Are there any specific technical details
that are interesting when it comes to Joanrat?
Absolutely.
So this one had some really advanced
anti-debugging features. One of the things
that jumped out on my radar that I thought was extremely unusual
was the fact that it seemed to target Python
decompilers specifically.
So it's relatively unusual
for bad guys to go through the trouble
of distributing something
through a cloud provider like Google Drive, right?
That's not every day.
It's not rare.
But when you combine that with the regionality and you combine that with the Python anti-debugging,
it really made this one interesting.
And to give you an example specifically of what we mean here, if you were to take this
particular sample and run it through a tool like
uncompile, and by the way, that's spelled P-Y-L-E, you know, because it's clever.
It actually would change the if statement to specify not any of these countries,
as opposed to any of these countries in the conditional. It's a very subtle response.
But when I was discussing this with my researchers, Paul and Vitor, they were puzzled because they
both came up with two different answers. And so you can imagine two people comparing notes remotely
when one's like it's X and the other's like, no, it specifically says not X. So a bit of confusing
fun for us to play with. And so there were little things like that that really made this jump out for us because that's relatively unusual.
And these set of different unusual circumstances really made it highlight itself on our radar.
And it's one of those threats that we're going to end up tracking probably fairly closely as a result just to see what the attacker is up to next.
And what are the recommendations to protect yourself?
Well, obviously, it comes down to the fact that you shouldn't be opening documents or
any file really from strange sources. And even if you do see something coming from a known source,
if it's an attachment or something that's not expected, go ahead and reach out. Send them a
text message, pick up the phone, and make sure that they intended to send you that. Because the reality is these
days we see lots of threats that go through emails, that go through existing conversations,
that go through existing contacts, and we'll carry out a conversation under the guise of a
previously reiterated conversation or, you know, just simply spamming out to all your contacts
along with a malicious attachment. All right. Well, the blog post is called
Joan Rat, Cloud-Based Python Rat Targeting Middle Eastern Countries.
Craig Williams, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. My guest today is Shuvo Chatterjee.
He's product manager at Google in charge of advanced protection.
Shuvo's team at Google recently introduced new ways to make use of mobile devices
with some of their advanced protection security techniques.
In addition to that, our conversation explores the importance
of reducing friction for users when it comes to the adoption and day-to-day use of sophisticated
security tools. So advanced protection is Google's strongest offering for security for anyone's
accounts. So it can be consumer accounts, but it can also be your G Suite account as well.
And so what advanced protection provides is first, it's an
enforcement of security keys so that you have to have a security key in order to authenticate to
your device or to your computer or wherever you're logging in. Additionally, we have other protections
that we provide as well. So some of these are behind the scenes. We do a lot of things like
malware scanning for attachments and
various risk tolerances for account recovery. And last year, we announced for Chrome users who
are in advanced protection that they would start getting stricter verdicts about whether or not
they should really be downloading a file that they're trying to download. And there's various
other things that we're doing and there's more to be announced. But the general idea is that advanced
protection is constantly evolving as the threat landscape evolves. And so if you are a high-risk
individual, whether you're a politician, journalist, activist, whatever your role may be,
that this is the simplest way by which you can protect your digital life with Google.
And you've got some new ways to do that.
Can you take us through what additional measures you've enabled here?
Yeah, absolutely.
So one of the things that we noticed is, you know, taking a look at,
we commissioned this Harris Bowl study of 500 high-risk users, you know, across various professions,
study of 500 high-risk users across various professions and taking a look at how many of them have been attacked. And of those who have been attacked, how many have actually taken any
kind of necessary steps. And so the vast majority have had some kind of phishing attack targeted
towards them. I think it was something around 74% that we found. But at the same time, the vast
majority haven't taken any action. They haven't enrolled
in 2SV or two-step verification or anything else like that. And so we've done a lot of user studies
and especially around events protection to understand what are the barriers to entry.
And while we feel these physical security keys are great in terms of what they do for phishing
resistance, it's still this thing
that a lot of people don't understand. And so with our latest update, what we did was now the device
in your pocket, which is your phone, can act as your security key. And once you have that enabled,
it's a one-click enrollment into advanced protection. So Android devices we announced
last year can act as a security key. Part of this
announcement is now we are letting iPhones as well act as a security key. And to do that,
a user downloads Google's Smart Lock app, and that takes care of the necessary
pieces on your phone, where unlike on on Android where we control the entire experience,
on iOS we have to create an app to get to where we want to be. But that way you have that
communication from Chrome to your phone to verify you are in proximity, it's you who's actually
trying to log in, and you get the same level of protection as you would with a physical security
key. Now the research that you all have done has shown that when people are using these sorts of
methods that you offer with APP, I mean, the level of security goes way up.
Yeah, absolutely. And even taking a step back from an advanced protection,
just enabling basic account security mechanisms such as basic two-step verification, it can block
upwards of 90% of automated bulk phishing attacks and a majority of targeted attacks.
What advanced protection helps with is the super targeted, highly motivated adversary,
those levels of attack. But people can take these simple steps as enrolling in 2SV
as a very first step to really reduce their surface area of attack.
And I suppose if you're someone who falls into that category, chances are you probably know it,
or someone's telling you that you are. For the most part, we find that most people
understand that they're higher risk. But the problem that we see oftentimes, so like, you know, this year being an election year, a lot of campaigns might be
thinking, okay, it's just the principal or maybe, you know, top staffers who are targets. But in
reality, it's anyone who would have access to sensitive data. It could be not only on the
campaign's email domain, but also your personal, right? Like your personal account ends up being this place
by which the rest of your digital life
could fall like dominoes.
And so protecting both personal account
and your enterprise account
for everyone who's associated with things
that are highly sensitive,
that's a really important step.
And I think people also discount that, also discount that family members could also be people who are under attack from these highly motivated players because that's an entry point.
And through that entry point, they can have lateral movement and try to get to the final goal, which might be the principal.
Yeah, it's a really interesting insight. I mean,
I think a lot of folks, I think it's natural to think that when I leave the office and I head home
that a lot of those concerns, I leave them at the office, but not necessarily the case. Your
home network could be a way that people try to come at you. Your home network can be. It could
be your connected devices. It could be your personal account that is also the recovery email for your bank account or for your social media or for, you know, various things are tied together. And oftentimes the thing that ties all these things together is that personal account. And people sometimes discount how important it is to protect that account.
how important it is to protect that account. We're always listening to user feedback,
and we've heard that people have said
that they've had a hard time with security keys,
or that it's been difficult to enroll in.
And what we are striving to do is strike that balance
between usability and security
so that we can offer our strongest level of security,
but making the experience better over time so that people aren't
having to choose between, well, this is too difficult and so I'm just not going to sign up
for it, which at the end of the day actually puts them in a worse position. And so we're
trying to bridge that gap. That's Shubho Chatterjee from Google.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.