CyberWire Daily - Meowing exposed databases. US indicts two Chinese nationals for hacking, and orders China to close its Houston consulate.
Episode Date: July 22, 2020“Meowing” is now a thing: the automated discovery and wiping of exposed and unprotected databases. The US indicts two Chinese nationals on eleven counts of hacking and reports evidence that Chines...e intelligence services are now using cybercriminals as contractors. Mike Schaub from CloudCheckr on why COVID-19 has ignited modernization projects for government agencies. Joe Carrigan on counterfeit Cisco routers. The US State Department tells China to close its consulate in Houston. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/141 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. The U.S. indicts two Chinese nationals on 11 counts of hacking and reports evidence that Chinese intelligence services are now using cyber criminals as contractors.
Mike Schaub from CloudChecker on why COVID-19 has ignited modernization projects for government agencies.
Joe Kerrigan on counterfeit Cisco routers.
And the U.S. State Department tells China to close its consulate in Houston.
And the U.S. State Department tells China to close its consulate in Houston.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 22, 2020.
An ongoing wave of destructive attacks, meow attacks, appears to use an automated tool to find and wipe exposed Elastic Search and MongoDB instances. According to Bleeping Computer, there are no ransom notes,
no threats, no crowing, and no explanation for the attacks. One possible explanation is that
the attacks represent tough love from vigilantes pushing admins to secure their databases.
But that's speculation.
Meowing could represent anything from misdirection to preparation for a protection racket to an appetite for destruction to the lulz.
The U.S. Attorney General for the Eastern District of Washington
has secured an indictment against two Chinese nationals
on 11 counts of hacking computer networks to obtain intellectual property.
They are said to have cast a wide net,
working against targets in 11 countries and at least 12 economic sectors.
Each man faces one count of conspiracy to commit computer fraud,
a maximum sentence of five years in prison,
one count of conspiracy to commit theft of trade secrets, a maximum sentence of five years in prison, one count of conspiracy to commit theft of trade secrets,
a maximum sentence of ten years in prison,
one count of conspiracy to commit wire fraud,
twenty years max,
one count of unauthorized access of a computer,
a maximum sentence of five years,
and seven counts of aggravated identity theft,
a mandatory two non-consecutive years for each count.
The investigation of the pair began when an intrusion into Department of Energy networks
in Hanford, Washington, was detected, and it moved on from there.
The FBI said the two worked with the Guangdong State Security Department, the GSSD,
of the Ministry of State Security, while also targeting victims worldwide
for personal profit. Chinese nationals have been indicted by the U.S. before in connection with
espionage, but these, most famously the PLA officer with the unfortunate hacker name of
Ugly Gorilla and his colleagues active against the metallurgical industry in Pennsylvania,
were strictly on the government payroll, working on the PLA's dime.
The indictment is therefore interesting in that it appears to represent the first case
in which Chinese hackers have been indicted for both state-directed espionage
and ordinary self-interested cybercrime.
In the Department of Justice press release that announced the charges,
Assistant Attorney General for National Security John C. Demers said, quote,
China has now taken its place alongside Russia, Iran, and North Korea in that shameful club of
nations that provide a safe haven for cybercriminals in exchange for those criminals being on call to
work for the benefit of the state,
here to feed the Chinese Communist Party's insatiable hunger for American and other non-Chinese companies' hard-earned intellectual property,
including COVID-19 research.
Russian government use of cybercriminals in its espionage and influence operations
was discussed in the Intelligence and Security Committee
of Parliament report rendered in the United Kingdom
earlier this week, and the U.S. intelligence community
has long taken notice of how mobbed up
Russian cyber operations can be.
But some observers see a difference in national styles.
The Washington Post spoke with some professional hood watchers
in think tanks and security firms,
and they tended to see the Russians as winking at cybercrime
as long as the gangs keep their hands off the wrong targets,
that is, the domestic and connected ones,
and as long as they're willing to do the official security and intelligence organs' favors when asked.
The Chinese treat the criminals more like contractors and are content to let them
profit on the side. In this case, while they allegedly stole trade secrets, spied on dissidents
abroad, and assisted with influence operations, they also had a nice side hustle raiding Bitcoin
wallets. The Justice Department thanked its international partners and the work the FBI's legal attachés did to coordinate the investigation with them.
There was some international applause for the indictment, Yahoo notes, with Australian agencies, including the Australian Signals Directorate, in particular welcoming efforts to hold bad actors to account.
actors to account. So, the two Chinese hackers each face a possible maximum of 40 years in U.S.
federal prison, but since cybercriminals work locally even as they act globally, both of the accused are still in China, and so have the proverbial snowball's chance of extradition to
the U.S., unless, of course, they're inattentive in their selection of international vacation spots
and decide to honeymoon in a place that has a good extradition treaty with the U.S.
or even a less formal willingness to cooperate with the Americans.
Just ask Roman Valerich Seleznyov.
He's the sometime proprietor of Carter Planet, who goes by the hacker names Track2 and Bulba,
of Carter Planet, who goes by the hacker names Track2 and Bulba, son of a Russian Duma member and convicted hacker, now a guest at the federal correction complex Butner in North Carolina,
a medium security club fed. His reservation runs through 2043. In 2014, Mr. Selesnev was
incautious enough to check into the Kanefushi Resort in the Maldives,
where a special arrangement negotiated with the local government by the U.S. Secret Service
facilitated his arrest and transportation to the U.S.
So travel with care.
We hear Wuhan is nice this time of year.
COVID-19 has ignited necessary modernization projects for government agencies, along with the push for necessary funding to see said projects through.
Mike Schaub is Information Security Manager from cloud management platform supplier CloudChecker.
I think with the government, you've seen that they've struggled a bit with trying to scale up with the COVID-19 response
and ran in some trouble with their systems.
Some examples of that with the stories about the IRS looking for COBOL programmers
trying to get the stimulus checks printed
and the unemployment websites being inundated with filings
and just struggling to even keep up. So it's caused a
strain due to the unprecedented issues that COVID has put forth. Where were these agencies before
COVID hit in terms of being behind the eight ball or ahead of the game? Where did they stand?
behind the eight ball or ahead of the game? Where did they stand?
I think different agencies were different places. There were definitely some looking towards modernization. And then in 2017, they were looking forward, they put out the Modernization
Government Technology Act. It was signed into law. It would give the ability for agencies to
start setting aside some funds towards modernization.
But I think you've seen agencies have struggled to kind of advance these efforts or get that funding because that did not come with funding within it. It just gave them a mechanism for
creating funds so they can set aside funds to use towards the modernization.
Now, in terms of the agencies reaching out to Congress to ask for more funding,
are they being effective in that messaging?
Is Congress being receptive?
Well, with COVID in the House and the CARES Act, we saw it was
proposed $3 billion towards modernization as part of the CARES Act. But in the end,
it ended up only getting close to like $500 million of that passed towards modernization
things. It's coming up again with the HEROES Act, which has passed the House, but some doubt
whether it will go beyond that. And that currently has another billion dollars towards
modernization funding. So I think COVID is helping to cause more discussion on this,
but I think it may still remain to be seen if it will result in actual acceleration.
And one of the things, too, with modernization, it tends to be an ongoing thing, too.
So although that may give a boost to help with some that are far behind, the technology
continues to evolve and change all the time.
That's Mike Schaub from CloudChecker.
change all the time. That's Mike Schaub from CloudChecker. The Wall Street Journal says the U.S. State Department also ordered China's Houston Consulate closed for its connection to espionage
and influence operations. Why the Houston Consulate in particular was singled out, the State Department
hasn't said. Quote, the United States will not tolerate the PRC's violations of our sovereignty and intimidation of our people,
just as we have not tolerated the PRC's unfair trade practices, theft of American jobs, and other egregious behavior.
End quote.
That was the extent of the clarification State Department spokeswoman Morgan Ortagus offered.
The Chinese Foreign Ministry reacted with some figurative heat.
Spokesman Wang Wenbin said yesterday, quote, this is a political provocation unilaterally launched by the U.S.
China urges the U.S. to immediately rescind its erroneous decision. Otherwise, China will
undertake legitimate and necessary responses, end quote. The Chinese foreign ministry also reacted with some literal heat.
The Houston consulate burned its papers last night, Click2Houston reports.
The Houston fire department showed up but of course couldn't enter to put the fire out,
the consulate's grounds being a privileged diplomatic space,
but at least they were there to keep the flames from jumping to the neighborhood.
but at least they were there to keep the flames from jumping to the neighborhood.
Burning your diplomatic papers is a traditional sign of either self-protection against a hostile host government or evidence of some guilty knowledge.
You can take your pick, but whatever else they were up to, the consular staff wasn't toasting s'mores.
Transat presents
a couple trying to beat
the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40%
on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
Interesting story came by. This actually caught my attention. It was a press release
Interesting story came by.
This actually caught my attention.
It was a press release from the folks at F-Secure, a security company out of Helsinki, Finland. And they have published some research where they have been looking at some counterfeit Cisco routers.
What's going on here, Joe?
So their customer purchased a couple of routers, which later turned out to be counterfeit.
And the way they found out that they were counterfeit routers is they updated the software,
like a company should do when they have these routers.
And that stopped the routers from working at all.
So F-Secure is investigating some, or has investigated, rather, some routers that were counterfeit that were sold to a company.
And the way the company found out they were counterfeit was the switches, these were switches, they stopped working when someone tried to update them.
So the software wouldn't run on the modified switches or forged switches, right?
And they actually call them either modified or forged.
I don't know which one it is.
But one of the things they said in here was
when you find counterfeit hardware on your network,
you don't know what that counterfeit hardware is doing.
Yeah.
So you have to do a reverse engineering project on it.
And that's essentially what F-Secure was asked to do.
And what they found was there was no backdoor on the hardware that they could find.
And they think that the motivation for this was just, I'm just going to rip off Cisco's products and sell them for cheaper and make money, right?
Yeah, so, I mean, let's walk through some of the likely sort of order of operations here that, you know, I'm in the market for a Cisco router.
Right. And I'm shopping around and maybe I find a price that's lower than my local authorized
Cisco dealer. Right. Because when you go out shopping for Cisco routers, you'll find that
they're pretty expensive. Cisco routers and switches, you'll find that they're not cheap, right? Yeah. No, it's an investment. It is an investment. It's an
investment in the design of going with a reputable manufacturer who takes security and the operation
of your network very seriously. Cisco is a great company for that. There are other companies out
there that are similar to that. I'm not endorsing Cisco, but they do a good job. If you're out there
looking around for equipment,
you might be enticed to go with somebody who has a lower price point and has equipment that is,
as far as you're concerned, the exact same product. Yeah. And so you order these, they show up,
everything looks fine. The boxes look like Cisco boxes. You open them up inside,
the switches look like Cisco switches. You put them up inside. The switches look like Cisco switches.
You put them in the racks.
You wire them up.
Data is flowing.
You configure them as far as you're concerned.
Everything is running as normal.
There's nothing out of the ordinary here.
They're functioning the way that you hoped that they would.
It's all hunky-dory, right?
Until?
Until you go to update them.
And something in the update process stops them from working.
Yeah, yeah.
How do you protect against this?
How do you make sure that you're not getting some bogus equipment?
Well, that's a good question.
And F-Secure actually addresses that in this press release.
The first thing they say is, source all of your components from authorized resellers. Make sure that the person you're dealing with
is an authorized reseller of the product from the company you're buying. And you can probably
call the manufacturer and say, is this person an authorized reseller of your product? Because they
take that relationship very seriously. I was looking at an article from back in 2008 that said
if Cisco finds out or gets wind of you selling counterfeit products, you're done.
They're not going to deal with you anymore.
You're not going to be an authorized reseller.
That would be a big hit to someone's business.
So they're a lot less likely to sell counterfeit products.
So look for that authorized reseller.
Yeah, I mean, I suppose, too, if you're an organization that is looking to save some money,
maybe you're a nonprofit or something like that, you also have to be careful about the used market.
Because if you were shopping around for a used Cisco router, you say,
well, here's a way to save some money on a name brand device.
Yeah.
That could be a counterfeit unit as well.
Absolutely. It could be counterfeit or modified.
Yep.
One of the things they say is that make sure that everything runs the latest
available software provided by the vendor. I'm actually kind of pleased that the software on
these caused the routers to brick. I think that might be Cisco's doing, right? That there's
something in the software update that says this is not a legitimate piece of Cisco equipment.
We're going to make it not work. That's good with me.
I'm okay with that, actually. Yeah. All right. Well, it's an interesting story. You can chase
it down. Again, it's the folks over at F-Secure have published their research on these fake Cisco
routers. It's an interesting read. Joe Kerrigan, thanks for joining us. It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.