CyberWire Daily - Microsoft patches a vulnerability NSA disclosed. Fronting for APT40 in Hainan. Fancy Bear pawed at Burisma. The NSA Pensacola shooting and the debate over encryption.
Episode Date: January 14, 2020NSA discloses a vulnerability to Microsoft so it can be patched quickly. Intrusion Truth describes thirteen front companies for China’s APT40--they’re interested in offensive cyber capabilities. A...rea 1 reports that Russia’s GRU conducted a focused phishing campaign against Urkraine’s Burisma Group, the energy company that figured prominently in the House’s resolution to impeach US President Trump. And the US Justice Department moves for access to encrypted communications. Joe Carrigan from JHU ISI on the security issues of Android bloatware. Guest is Haiyan Song from Splunk with 2020 predictions. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
NSA discloses a vulnerability to Microsoft so it can be patched quickly.
Intrusion Truth describes 13 front companies for China's
APT-40. They're interested in offensive cyber capabilities. Area One reports that Russia's
GRU conducted a focused phishing campaign against Ukraine's Burisma Group, the energy company that
figured prominently in the House's resolution to impeach U.S. President Trump. And the U.S.
Justice Department moves for access to encrypted communications.
Still on assignment in Seattle, Washington, and looking forward to heading home,
I'm Dave Bittner with your CyberWire summary for Tuesday, January 14, 2020.
Today is Patch Tuesday, and late yesterday, Krebs on Security said that sources told him
Microsoft would issue an unusually important patch for a core cryptographic component
shared by all versions of Windows.
That module is Crypt32.dll, which Microsoft characterizes as handling
certificate and cryptographic messaging functions in the crypto API.
The Washington Post this morning reported that the flaw was discovered by the U.S. National Security Agency,
which quietly reported it to Microsoft rather than weaponizing the vulnerability.
The flaw is said to be comparable in severity to the one exploited by EternalBlue,
which NSA also discovered and disclosed to Microsoft upon learning that others had gained access to the tool.
The flaw to be patched today has a variety of implications for authentication and protection of sensitive data,
and it could also in principle be exploited to spoof digital signatures associated with particular bits of software.
Early reports said that Microsoft had quietly informed some government agencies of the vulnerability,
but this seems in some respects to have it backward.
It was the U.S. government, specifically NSA, that informed Microsoft.
NSA commented early this afternoon in a media call.
Cybersecurity Directorate Head Ann Neuberger said NSA discovered the crucial vulnerability
in the course of its routine look at the range of tools it uses.
Given the vulnerability's severity, NSA decided to notify Microsoft to help them expedite patching.
NSA itself recommends that network owners immediately implement the patch,
as, she said, we ourselves will be doing.
When Microsoft posts the patch this afternoon, they will give attribution to NSA.
NSA agreed to attribution as a way of building trust, of showing their work. They also wanted
the attribution as a way of leaning forward, to raise awareness and a proper sense of urgency.
These represent, she said, an evolution of NSA's new commitment to openness and the building of
trust with the larger community.
Asked why NSA decided to disclose rather than weaponize the vulnerability,
Director Neuberger said that in this case it was NSA's judgment that its mission was best served through disclosure.
This is part of overall trust building.
The Cyber Wire asked if this disclosure represented the ordinary working
of the vulnerabilities equities process.
Ms. Neuberger explained that the vulnerabilities equities process, a National Security Council
process, concerns itself with retention decisions. But in this case, the process didn't need to be
invoked. NSA quickly made a determination to share the vulnerability it discovered,
and so the VEP wasn't engaged. This sort of decision to disclosure, Ms. Neuberger said, should be regarded as NSA's normal way
of doing business.
When security is enhanced by disclosure, NSA will decide to disclose.
Neither NSA nor Microsoft have seen any exploitation of the vulnerability in the wild, and if you'll
take NSA's advice, you'll apply today's Microsoft
patch as soon as you can. ZDNet reports that the anonymous security analysts of Intrusion Truth
have uncovered some 13 companies operating for the most part from Hainan, a large island province
in the South China Sea, that serve as fronts for APT40. APT40 is a threat group associated with the Chinese government
and best known for espionage on behalf of the People's Liberation Army Navy.
In order of battle note, that may be an odd-sounding name,
but it's the one China's Navy is known by, the People's Liberation Army Navy.
Intrusion Truth posted its findings this past Thursday and Friday.
The 13 Hainan companies are all hiring,
and they're hiring people with offensive cyber skills and useful linguistic capabilities.
For example, some of the job ads look for female English speakers.
As Intrusion Truth sums it up,
We have multiple companies with identical descriptions and job adverts,
overlapping contact details and office locations,
but different names recruiting for offensive hacking skills.
Like Boyosec, Haiying Haitai, Antorsoft, and others,
these companies have very little presence on the internet outside of these adverts.
It's of course possible that offensive skills can be, as they often are,
put to defensive use in red-teaming and penetration testing, but the skill sets the companies are interested in would seem to mark
them as organizations of interest. They've also found an academic connection, one Gu Zhain,
a professor in the Information Security Department of Hainan University. His CV describes him as a
former member of the People's Liberation Army. In itself,
that's no surprise. There's no shortage of PLA veterans in China. It's a pretty big army.
Professor Gu is also down as the contact person for one of the front companies that's itself
linked to the other 12. It's an interesting example of how researchers develop connections
among cyber actors. Intrusion Truth promises more posts on the Hainan group of companies in the near future.
It's a new year, and that means predictions are hot on many minds as we try to align security
budgets with resources. Haiyan Song is Senior Vice President and General Manager of Security
Market at Splunk, And she shares these insights.
Cloud adoption, I would say, is still in the early stages
in terms of fully understand how this new paradigm of cloud computing
is going to impact our day-to-day.
You know, we love all the technologies like the new containers, the Kubernetes.
And in the meantime, it's also this whole emergence
of API-driven economy in the cloud, right?
People can build solutions
without having to really build the entire stack.
They can leverage a lot of services
that's already in the cloud.
What it does though,
is now you have a very complicated digital supply chain
for what you're delivering.
And all of the things are happening in the cloud computing speed, which we call it machine speed. So we think
what's really going to happen this year, and at least the prediction is, it's no longer just,
oh, we found a misconfiguration, and we're just going to take some data from, you know, S3 buckets.
I think it's going to be to figure out how the service, it's sort of linked together
and try to disrupt something in the middle. And it's going to be so much more impactful
to the services or the customers of the services. And it's happening so fast that we have to find a way to automate the responses.
What about some of these applications of technology that are coming along, you know,
people who are up to no good? I'm thinking of things like deep fakes, you know, particularly
as we head into an election season, you know, people will be worried about the things they're
going to see on the news and so forth. Are things like deep fakes, is that something that's on your radar?
It's definitely something that we always talk about as part of this concept. Humans is still,
I would say, the weakest link when it comes to thinking about what the best practices are and
to protect yourself. And the human factor continue to be a major sort of
threat vector, if you will. I just saw the latest news, I think Snapchat just sort of invested in a
company or bought a company and that's really specializing in deepfake technology. So that's
sort of a sign of that's becoming more and more mainstream. And I think 2020 was the election year.
It's going to be a perfect storm for how this technology is going to be, you know, leveraged to for social engineering.
And I'm sure it's going to bring a lot of entertainment for people who are sort of looking at those things.
But I think it's definitely going to exploit the weakness in the human link, if you will.
Yeah. As we're heading into this new year, how do you describe your own attitude towards it?
Are you optimistic or are you cautious?
So how do you think things are going to play out this year?
I'm always a glass half full person.
So I love the technology, the adoption of new technology, I think is going to bring us many different cross pollination on how to really learn from the new cloud paradigm.
How do we learn from all the natural language processing that brought all this access to technology.
I think one thing that I'm always really trying to get to our audiences and customers is think of automation
as one of the key technologies to really help you
with making the shift to the cloud paradigm
and knowing that automation is there to help us. There's a lot
more benefit to be had. And I thought I would just always want to share that perspective.
That's Haiyan Song from Splunk. Area One has released research indicating that Russia's GRU
in November of 2019 began a phishing campaign against the Ukrainian energy company Burisma
Holdings. The goal was to obtain email credentials from Burisma, its subsidiaries, and its partners.
Burisma is the company whose connections to former U.S. Vice President Biden's son, Hunter Biden,
were at the center of the impeachment inquiry directed at U.S. President Trump,
who wanted a Ukrainian investigation of those connections and is accused of having abused
his office in pressuring his Ukrainian counterpart. Phishing is a common method of attack, and as the
New York Times and Wall Street Journal point out, it's how Fancy Bear, the GRU, accessed Democratic
Party accounts in 2016. What specifically was Fancy Bear after, once it had those credentials?
Area One says it doesn't know, but the two most probable inferences
are that they were interested in either collection against a target of interest
or in preparing some influence operation, or perhaps both.
Yesterday, U.S. Attorney General Barr released the results of the Justice Department's inquiry
into the December 6 shootings at Pensacola Naval Air
Station. The investigators concluded, as expected, that the shooter was Lieutenant Mohammed Saeed
Al-Shamrani of the Royal Saudi Air Force and that his actions were an act of terrorism motivated by
what the Attorney General characterized as jihadist ideology. That conclusion was supported
by inspection of the shooter's social media posts,
which indicated that he had become radicalized. While investigation determined that the shooter
acted alone, an inquiry into the social media presence of other Saudi military personnel
determined that 21 of those training in the U.S. were in possession of similar material.
None of this, the Attorney General said, warranted prosecution under U.S.
law, but the Kingdom of Saudi Arabia determined that their engagement with such material
constituted conduct unbecoming of an officer. The Kingdom disenrolled the 21 officers from
training in the U.S. and returned them to Saudi Arabia late yesterday.
The investigation also constitutes another round in the dispute over access to encrypted communication.
The Attorney General says the shooter's two iPhones have been recovered and restored to usability
he damaged each of them, but that investigators are unable to read their encrypted contents.
The Justice Department has asked for Apple's help in unlocking them, which Apple has not provided.
The Attorney General called upon Apple and the tech industry generally
to work with the Justice Department to find some middle ground in the crypto wars.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Visit usforce.com slash careers to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Interesting article came by.
This is from Gadgets360, but I've seen this being covered in a variety of places.
And this is, Google is being urged by over 50 organizations, including DuckDuckGo,
to take action against Android vendors offering bloatware.
Right.
What's going on here?
So what happens when you buy an Android phone from a manufacturer like HTC or Samsung or a myriad of other manufacturers is you get these apps on the phone that you can't uninstall.
Out of the box.
Out of the box.
The phone comes with these apps, and I've experienced this frustration with both HTC and Samsung personally.
And they have legitimate concerns that there are some privacy issues with these apps, first off,
and security issues as well. They're not updatable. They don't get updates unless it's an update pushed out through the cell phone provider many times. The apps are not installed
through the Google Play Store, so they're not subject to the
scrutiny that those apps go through. Now, you can argue about how good that scrutiny is, but
these apps don't get any scrutiny. They're just installed by default,
and they, a lot of times, will leak information about the user.
But I'm going to also point something else out here that these organizations may or may not understand.
And that is that there is the Android One program, which was designed originally for emerging markets, but it's kind of expanded.
And one of the benefits of the Android One program is that in order for a phone to be considered an Android One phone, it has to be running stock Android,
an Android One phone, it has to be running stock Android, which is the same operating system that comes on the Google devices, like the Pixel 3 or the old Nexus devices. Okay. Now, my first
smartphone was an HTC smartphone, and it had an interface called HTC Sense. So that's kind of the
benefit that these people, these manufacturers will say, is that we have a lot better Android experience because we'll overlay our own interface
over top of it, right?
But when I got fed up with my Samsung devices
and finally went into the store and said,
I don't care, just give me a stock Android device,
and I bought a Nexus 6,
I found that interface to be very clean
and very enjoyable.
And then my next phone was an LG phone
that didn't have the stock Android experience again.
And I found I missed the stock Android experience.
So I went back and I bought a,
for the phone that I currently have,
I have a Pixel 3,
which of course comes with the stock Android experience.
Now the Pixel 3 I think is prohibitively expensive
and I would dare say overpriced.
But there are other
phones out there in the Android 1 program that are more competitively priced and have the same
stock Android apps without any of the bloatware and without any of the security issues that these
folks are talking about here. Well, let me ask you this. So the phone that you have now, did that
come with any bloatware on it? It did not. It did not. Okay. So by, and I think there's, that's one of the points here is that if you're willing
to pay a premium price, you can get phones that don't have this sort of bloatware.
And certainly over on the, over on the Apple side of things, iOS devices come with no bloatware.
Correct.
That's a, that's a premium price.
Right.
But the, the Android one that's a premium price. Right, but the Android One phones
are not premium price phones.
But part of the way that the cheap phones are financed
is through the installation of this bloatware.
In other words, the manufacturer
is making some money on the back end.
Yeah.
And that's part of how they can make the phones
so inexpensive.
And the point I'm trying to get to is that
isn't everyone entitled to good security?
You shouldn't just need to pay a premium to have a secure device in a world where we're so dependent on these devices.
Agreed.
But the Android One program phones are not prohibitively expensive.
They're actually a lot cheaper than these phones here.
Like you can get an Android One phone for about $400.
So you're saying if this is a concern of yours, go out and look for the Android One labeled phone,
and that won't have the bloatware.
It won't have the bloatware.
It'll come with stock Android installed.
You get security updates, monthly security updates guaranteed for two years.
It's a pretty good program.
But that precludes you from getting the cool, flashy devices from like Samsung, HTC, and LG.
I see.
They don't have that.
But again, those phones are also expensive.
So there is an inexpensive option for users to get.
In fact, I think my next phone will probably be an Android One phone, a less expensive Android One phone.
All right.
Well, it's an interesting push, if nothing else.
I agree 100%. Yeah. Yeah, this is a privacy push, if nothing else. I agree 100 percent. Yeah.
Yeah. This is a privacy push and I'm all in favor of whenever that happens.
Yeah. Right. All right. Well, Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Thank you. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow.
Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.