CyberWire Daily - Huawei to be closed out of UK’s 5G infrastructure. Spyware, ransomware, and botnets. The odd case of Data Viper. SAP has a major patch out.
Episode Date: July 14, 2020The British Government decides to ban Huawei. More on the malware associated with Golden Tax software package. The Molerats appear to be behind some spyware misrepresenting itself as a secure chat app.... The Porphiex botnet is back distributing a new ransomware strain. The odd case of the Data Viper breach. Ben Yelin tracks a ruling from the DC circuit court on the release of electronic surveillance records. Our guest is Ann Johnson from Microsoft discussing her keynote at RSA APJ, The Rise of Digital Empathy. And SAP has a patch out--if you’re a user, CISA advises you to take this one seriously. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/135 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k code n2k. tech software package. The mole rats appear to be behind some spyware misrepresenting itself as a
secure chat app. The Porphyx botnet is back distributing a new ransomware strain. The odd
case of the data viper breach. Ben Yellen tracks a ruling from the DC Circuit Court on the release
of electronic surveillance records. Our guest is Anne Johnson from Microsoft discussing her note
at RSA APJ, the rise of digital empathy.
And SAP has a patch out, if you're a user, SysA advises you to take this one seriously.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, July 14th, 2020.
Tuesday, July 14, 2020. As expected, the UK has now banned Huawei from participation in its 5G build-out. This policy reverses an earlier decision to permit the company some limited
role in non-core sections of the coming British infrastructure. In many respects, the decision
represents an attempt at internal compromise. British telecommunications companies had worried about the cost of replacing equipment.
The Guardian reports that all Huawei 5G equipment must be out of British 5G networks by 2027
and that no new 5G gear may be purchased after the end of this year.
The BBC reports that Tory backbenchers remain unsatisfied.
end of this year. The BBC reports that Tory backbenchers remain unsatisfied. They want quicker action, but the decision represents a sharp setback for Huawei. According to Sky News,
Huawei's UK chair, Lord Brown, has resigned. Researchers at Trustwave's Spider Lab have an
update to its report on Golden Tax, a spyware-infested tax software intended for use by companies doing business in China.
Their first reports concentrated on Golden Spy, and now they're describing Golden Helper, an earlier malware dropper embedded in Golden Tax.
The Golden Helper campaign ran from 2018 through January of this year.
Its specific objectives remain unclear,
but its behavior suggests that it was up to no good.
Trustwave says its research is continuing, writing,
We have not yet identified a sample of the final golden helper payload, taxver.exe.
We do not know its purpose, capabilities, or IOCs.
If you've got a sample, drop them a line.
Bratislava-based security firm ESET says the mole rats, also known as the Gaza hackers,
have resurfaced with WelcomeChat, an app that represents itself as offering secure messaging.
It does indeed deliver messaging, but security?
Not so much. It's a spyware carrier
by design. The app targets Arabic speakers in the Middle East. As ESET describes it,
quote, not only is Welcome Chat an espionage tool, on top of that, its operators left the
data harvested from their victims freely available on the Internet, and the app was never available on the official Android App Store.
Welcome Chat requests that users grant an extensive list of permissions upon installation,
access to SMS messages, accessing files, record audio, access contacts,
and access device location.
Chat apps do tend to request more permissions than most other classes of
applications, and so even this list might pass a user's scrutiny without raising an alarm.
But in this case, the permissions do more than facilitate chat.
Designed to call back to its command and control server every five minutes,
Welcome Chat has been observed exfiltrating sent and received SMS messages,
call log history, contact list, user photos, recorded phone calls,
the GPS location of the device, and device information.
Many, if not most, spyware apps of this sort are trojanized versions of legitimate applications.
But ESET thinks WelcomeChat is different, that it was designed from the outset as spyware.
Usually, you can find the original clean version of an app that's been trojanized.
ESET, however, has looked, and they can't find a clear version of Welcome Chat anywhere.
Sure, sure, we know absence of evidence isn't evidence of absence, but on the other hand,
it's reasonable to think that an innocent version of Welcome Chat would have turned up by now.
So, if you're interested in security advice, and who isn't, don't install Welcome Chat.
ESET generalizes that advice.
Don't install any Android app offered outside Google's Play Store.
That's not an infallible marker of legitimacy and security, but it's far, far better than buying from the virtual equivalent of some guy's car trunk on the corner of Greenwood and
North Avenue. Security firm Checkpoint warns that the Porphyx botnet is delivering Avidan ransomware.
Porphyx had hitherto been best known as a distributor of sextortion emails, but it's now
carrying more
than implausible threat to email your friends discreditable screenshots of you during moments of
private leisure. It had also been used to distribute gandcrab ransomware, ZDNet notes.
Its distribution of Avidon is accomplished with a phishing email that uses a wink emoji as its
subject and carries a payload
in an attached zip file. Apparently, it's working on someone, hard as that may be to imagine.
Krebs on Security confirms that security startup DataViper, which describes itself as a
threat intelligence platform designed to provide organizations, investigators, and law enforcement
with access to the largest collection of private hacker channels, pastes, forums, and breach
databases on the market has itself been breached. Possibly. The founder of DataViper, Vinny Troia,
says that the data that's been posted for sale in the dark web didn't come from his firm,
but rather from the original hackers who are simply interested in discrediting him.
Mr. Troia does acknowledge that there was a compromise at DataViper,
but says it occurred when one of his developers accidentally left his credentials exposed.
He blames the hacking group's Gnostic players and shiny hunters for the whole operation,
and he describes their motive as personal revenge.
One bit of alleged fallout from the Data Viper affair, ZDNet reports,
is what appears to be a very large trove of personal data
lost in the 2019 MGM Resorts breach.
The tally of affected guests had earlier been put at 10.6 million,
but if those who claim to have hacked DataViper are to be believed,
that number is an order of magnitude too low.
They're advertising data on more than 142 million MGM hotel guests,
and they're asking just a shade over $2,900 for the whole shebang.
Ann Johnson is Corporate Vice President,
Business Development, Security Compliance,
and Identity at Microsoft.
She's presenting a keynote
at the upcoming RSA Asia Pacific and Japan Conference,
with which the Cyber Wire is proud to be a media partner.
Anne Johnson's keynote is titled,
The Rise of Digital Empathy.
Digital empathy is the ability for the user to make errors and not have their
work impacted, is the way I would describe it the best. When you think about what we've gone through
in the first six months of 2020 on a global scale, when we sent the largest workforce home
to work remotely, and we did it very quickly.
We needed users to be productive, and those users needed to have access to their tools.
But we didn't want them to be stressed out about the security or the privacy or the compliance around the use of those tools.
So when I talk about digital empathy in the context of cybersecurity, it's that ability to actually allow the user the room to make mistakes.
But the tools are good enough that the environment and the entity, whether it's a government entity or a corporate entity, will be protected even if the user does make an error because the user is just in a very stressful environment, right?
And they're trying to work.
Maybe they have their children at home.
Maybe they're having to procure groceries in a different manner or they're caring for a sick family member.
So it really does need to be empathetic to the end user experience when we're thinking
about building cybersecurity tools.
Can you give us some examples of some practical ways to implement this sort of approach?
Sure. The first thing I would say, and it's the thing I always say, is mandate multi-factor
authentication for 100% of your users, 100% of the time. This way, you remove the password in
its entirety, right? So you don't have to risk the user clicking on a phishing link and
giving away their credentials innocently because they didn't realize the link was a phishing link.
If you're requiring the use of multi-factor authentication, it makes the password near
useless. Now, nothing is perfect, but that's one way to give a lot of empathy to the end user
because you're saying, look, we're going to give you a tool that means if you make this common error, by the way, of clicking on a phishing link,
it has much less impact to you and it has much less impact to the enterprise.
It strikes me that, as you kind of touched on earlier, the cybersecurity industry itself,
I would say, if you listed, I don't know, their top five attributes, I don't suspect empathy would make the list.
Is this a bit of a culture change that needs to take place here?
It is.
And the cybersecurity industry has a lot of things.
It's a maturing, right?
The industry needs to mature in a lot of ways, all the way from the language we use to describe things.
I actually wrote a blog on that. I think it's been about a year and a half ago,
through how we think about the end user and the end user experience and how we develop tools
that are easier to use, but also really transparent to the end user. So they're just
experiencing their work. And all of that is a part of what I say, the maturing process of the cybersecurity industry as a whole.
That's Anne Johnson from Microsoft.
The RSA Asia Pacific and Japan Conference kicks off this week.
It's Patch Tuesday, and Redmond will issue its customary round of fixes later today.
But SAP is already out with a significant patch. The issue CVE-2020-6287
arises in the LM configuration wizard of the NetWeaver application server. Researchers at
Onapsis discovered the vulnerability, which is reckoned a serious one. There's no evidence of
exploitation in the wild so far, but CISA strongly recommends applying the patch as
soon as possible. At least 40,000 SAP customers are thought to be at risk. Onapsis calls the bug
Recon, that is, remotely exploitable code on NetWeaver. It opens affected SAP systems to an
unauthenticated attacker who could gain full access to them.
Onapsis writes, This includes the ability to modify financial records,
steal personally identifiable information from employees, customers, and suppliers,
corrupt data, delete or modify logs and traces,
and other actions that put essential business operations,
cybersecurity, and regulatory compliance at risk.
Thus, recon represents a serious threat to data integrity business operations, cybersecurity, and regulatory compliance at risk, end quote.
Thus, recon represents a serious threat to data integrity, security, and privacy.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy. We could book a vacation. Like sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast. Hey, Ben, great to have you back.
Good to be with you again, Dave.
Interesting article came by having to do with electronic surveillance records.
And this is a finding from the U.S. Court of Appeals for D.C.
Unpack it here for us, Ben. What's going on? So the article says that the U.S.
Court of Appeals for the District of Columbia Circuit ruled that a federal judge should unseal
electronic surveillance records in closed investigations. So there are a lot of investigations
where there's classified information on which surveillance tools were used. So whether it was
pen registers, whether it was
something obtained through the Stored Communications Act. And people who are interested in these types
of surveillance methods want to find out, you know, after the investigation has been closed,
what types of methods have been used. There's a very enterprising reporter who works for BuzzFeed
News. His name is Jason Leopold. You should follow him on Twitter because
he is the FOIA king. He is constantly submitting freedom of
information requests and uncovering fascinating information, including
redacted parts of the Robert Mueller report.
I'll give a shout out to him first and foremost. The argument
on behalf of the government was that producing this data would be too time-consuming and burdensome.
It would be too much effort, basically, too much of an administrative burden.
The decision handed down by Judge Merrick Garland, yes, that Merrick Garland, holds that a large administrative burden cannot be a valid excuse against releasing this information.
Now, he respects the administrative burden.
This is going to take a lot of man hours to go through and figure out what exactly needs to be redacted and unredacted.
It might take a lot of personnel.
That's fine to the extent that it might delay the release of this information, but it is not in and of itself a justification to deny this Freedom of Information Act request.
And the reason for that is that the public has a right to know, after these cases have been closed, what surveillance methods are being used on our fellow citizens.
So I think it was a pretty groundbreaking decision from the second highest court, in my opinion, the second highest court in terms of importance in the United States.
So a very interesting decision.
Is this likely the final word on this or could this go farther from here?
It's possible it could go further.
The decision on the three-judge panel was unanimous.
Now, the government could petition to have the entire D.C. Circuit hear the case. You know, I think it's possible, depending on how much they really want to hide information on their surveillance methods, that at least could
push, could kick the can down the road a little bit. I would expect the D.C. Circuit, because the
three-judge panel was unanimous, to deny a rehearing on Bonk,
meaning that the whole DC Circuit Court of Appeals would hear the case. And if that's true,
the government would have to appeal to the Supreme Court. I don't know if the Supreme Court is really interested in weighing in on this. It doesn't seem to be a split among circuits. It's a very
DC-specific issue, accessing federal records, so it's not like many other courts would or should have the opportunity to weigh in.
So if I had to predict it, I do think this is probably the final word on this particular question.
I see. Yeah, I have to give a tip of the hat to Merrick Garland.
He managed to, in his opinion here, include a reference to Raiders of the Lost
Ark. Yeah, he's such a good writer. Putting in that Indiana Jones reference is just the tip of
the iceberg for Merrick Garland, who has had to settle for his current position, which is still
extremely powerful. But yes, major hat tip to him. And I'll mention the other two judges who were part of this decision.
One of them is Larry Silverman.
Aren't exactly your garden variety liberal judges.
So this is a pretty broad decision ideologically.
All right.
Well, interesting development.
I suppose this is one of those that has long-lasting implications.
Absolutely. And I think we'll see fewer government agencies try to use the excuse that there's a
large administrative burden when they're seeking to deny FOIA requests. Now, there are other reasons
they can invoke to deny FOIA requests. There are a lot of exceptions in the FOIA laws,
but it's going to be harder to use this particular excuse
after this decision was handed down.
All right. Interesting stuff.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.