CyberWire Daily - US Department of Justice unseals three indictments in PRC spying cases. CERT-UA warns of Cuba ransomware phishing. Varonis discovers Windows vulnerabilities. CISA expands KEV Catalog.
Episode Date: October 25, 2022US Department of Justice unseals three indictments in PRC spying cases. CERT-UA warns of Cuba ransomware group phishing campaign. Varonis discovers two Windows vulnerabilities. Mr Security Answer Pers...on John Pescatore on security through obscurity. Ben Yelin on the DOJ’s spying cases against China. CISA expands its Known Exploited Vulnerabilities Catalog with six new entries. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/205 Selected reading. Two Arrested and 13 Charged in Three Separate Cases for Alleged Participation in Malign Schemes in the United States on Behalf of the Government of the People’s Republic of China (US Department of Justice) U.S. Justice Department Fires Warning Shot at Chinese Spies (Foreign Policy) Chinese spies charged with trying to thwart Huawei investigation (Quartz) DOJ Charges 13 Over Chinese Interference In US Affairs (Law360) U.S. Says Chinese Tried to Obstruct Huawei Prosecution (Wall Street Journal) U.S. charges Chinese nationals with schemes to steal info, punish critics and recruit spies (CBS News) Cuba ransomware affiliate targets Ukrainian govt agencies (BleepingComputer) Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries (BlackBerry) The Logging Dead: Two Event Log Vulnerabilities Haunting Windows (Varonis) CISA Adds Six Known Exploited Vulnerabilities to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. Department of Justice unseals three indictments in PRC spying cases.
CERT-UA warns of Cuba ransomware group phishing campaign.
Baronis discovers two Windows vulnerabilities.
Mr. Security Answer Person John Piscatori on security through obscurity.
Ben Yellen on the DOJ spying cases against China.
And CISA expands its known exploited vulnerabilities catalog with six new entries.
From the CyberWire studios at DataTribe, I'm Trey Hester filling in for Dave Bittner with your CyberWire summary for Tuesday, October 25th, 2022.
Yesterday, we reported some breaking news from the U.S. Justice Department concerning espionage cases involving Chinese intelligence services. More has emerged since then.
To recap, the U.S. Department of
Justice yesterday held a press conference to announce the unsealing of three cases against
13 Chinese nationals, including 10 Chinese intelligence officers. Attorney General Merrick
Garland outlined the cases. The first involved charges against two Chinese intelligence officers
who allegedly bribed a U.S. citizen, a law enforcement insider,
to reveal sensitive and non-public information about the U.S. prosecution of a Chinese
telecommunications company. That insider, however, was a double agent and not someone
the Chinese officers had successfully recruited as an asset. Quartz reports the two Chinese
intelligence officers were fed false information by the U.S. government employee provided to the employee by the FBI. Who was the Chinese company on trial in New York?
One of the reporters asked directly, quote, was it Huawei? End quote. But the Justice Department
officials declined to name the Chinese company involved in the prosecution. Since then, however,
the Wall Street Journal and others have reported that sources confirm that the company involved is indeed Huawei.
The two men face charges of obstruction of an official proceeding and money laundering.
They are, of course, in addition to the earlier bank fraud and racketeering charges the U.S. has filed against Huawei.
the activities of a front Chinese academic organization that had allegedly been engaged in both theft of U.S. intellectual property and in the suppression of constitutionally
protected free speech regarded as embarrassing to China.
Four individuals were charged in that case.
Finally, the third case, in which seven individuals were indicted, involved China's Operation
Foxhunt, a long-running program of forcibly repatriating Chinese who have emigrated to other countries and who are regarded as a threat to the reputation or security of the People's Republic.
Chinese agents are alleged to have hounded victims and their families with physical intimidation, frivolous lawsuits, threats, and other harassment.
With foreign policy reporting that the seven individuals indicted promised to make the victim's life a, quote,
endless misery, saying that these would not stop until the victims returned to China.
Attorney General Garland said, quote,
As these cases demonstrate, the government of China sought to interfere with the rights and freedoms of individuals in the United States and undermine our judicial system that protects those rights.
They did not succeed.
The Justice Department will not tolerate
attempts by any foreign power to undermine the rule of law upon which our democracy is based.
We will continue to fiercely protect the rights guaranteed to everyone in our country,
and we will defend the integrity of our institutions."
The Computer Emergency Response Team of Ukraine warns that it observed phishing emails that misrepresent themselves as coming from the press service of the General Staff of the Armed Forces of Ukraine.
The emails invite the recipients to follow a link and download a document called Order309.pdf, but victims are then taken to a page that informs them that they need to update their PDF reader.
them that they need to update their PDF reader. The link is malicious, bleeping computer reports,
and performing the bogus update installs the rom-com remote access trojan on behalf of the Cuba ransomware group. Cuba has recently been active in the present war, hitting targets in
Montenegro last month. BlackBerry researchers describe rom-com's capabilities as follows,
quote, main rom-com functionalities include, but are not limited to,
gathering system information, disk and files information enumeration,
and information about locally installed applications and memory processes.
It also takes screenshots and transmits collected data to the hard-coded command and control.
If a special command is received, it supports auto-deletion from the victim's machine,
end quote. Thus, RomCom can function both as an espionage tool and a wiper. It's still fairly
low-grade offensive work and still falls short of the devastation widely expected earlier in
the cyber phases of Russia's hybrid war against Ukraine. Researchers at Varonis announced today
that they've discovered two Windows vulnerabilities they're calling Log Crusher and Overlog.
Both are located in the operating system's Internet Explorer-specific event log.
The vulnerabilities can be used to carry out denial-of-service attacks.
Log Crusher allows the domain user to remotely crash the event log application of any Windows machine on the domain.
event log application of any Windows machine on the domain.
Overlog can be exploited to induce a remote denial of service condition by filling the hard drive space of any Windows machine on the domain.
Overlog has been fully patched and assigned to CVE designation CVE-2022-37981.
Microsoft has not fully patched Log Crusher,
which doesn't affect versions of Windows more recent than Windows
10K, but recommendations for remediation are available. In full disclosure, we note that
Microsoft is a CyberWire partner. And finally, the U.S. Cybersecurity and Infrastructure Security
Agency has added six new vulnerabilities to its known Exploited Vulnerabilities catalog.
Two involve Cisco AnyConnect vulnerabilities,
and the other four affect multiple gigabyte products. In all cases, users are advised to apply the vendor's patches according to the vendor's instructions. Federal civilian executive
agencies have until November 14th to check their systems and patch them as necessary.
as necessary.
Coming up after the break,
Mr. Security Answer Person John Pescatori
on security through obscurity.
And Ben Yellen
sits down with Dave Bittner
to discuss the DOJ's
spying cases against China.
Stick around.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Hi, I'm John Pescatori, Mr. Security Answer Person.
Our question for today's episode comes via Twitter from Stephen Summers.
Stephen posted a picture from a security conference that showed the Wi-Fi access point SSID and login password and asks,
is it really a good idea to hop on a network in a large gathering of security professionals?
Well, Stephen, the short answer is it depends on what type of cybersecurity conference you're at. If it was all security awareness or governance risk compliance or identity and access management professionals, you might not have to worry so much.
But if you're a DEF CON black hat or at a conference focused on pen testing or one making big bucks through bug bounty programs, you might want to think twice.
It could be like rubbing yourself with seal fat before taking a swim in the ocean.
Your question raises two other important issues. The first is,
you really should not connect your laptop to any network, including the internet, unless you are sure that laptop is at least at the essential security hygiene level or higher. Security
conferences aren't the only place where security experts are lurking. All those cyber criminals and state-based attackers on the internet are also professionals and experts. Go take a look at
ics.sans.edu slash survival time, where the SANS Internet Storm Center takes user-forwarded logs
and shows how quickly vulnerabilities are scanned for over the internet. Historically, the average
time for a vulnerable Windows PC to be probed is about
only 100 minutes. Automated scans set up by skilled bad guys are rampant.
The second point is the old debate over security through obscurity. Back in the day, it was common
for vulnerabilities to exist and vendors did not want to let anyone know until after the updated
patch software came out. The idea seemed to make sense. Why give the bad guys a head start? But once Microsoft and others started issuing regular patch releases giving credit to
who discovered the vulnerability, it became obvious that a high percentage of vulnerabilities
were being found by outside security researchers, what we call white hat types. If those white hats
were finding them before the software vendors' own teams, you can be sure that the black hat types
were too.
Turns out security through obscurity doesn't work any better than putting your wallet in your sneakers when you go in the water at the beach.
For criminals, out of sight is not out of mind.
But you don't have to don a suit of armor every time you go outside either or have very visible laser beams across every door and window in your house to be safe.
laser beams across every door and window in your house to be safe. That essential security hygiene level will keep your laptop safe from the vast majority of attacks that are likely to reach it
directly over the internet versus those that go through the user like phishing attacks.
And throw in multi-factor authentication and you're ready to brave connecting to that network
at most security conferences. Back in the 80s, I worked for the U.S. Secret Service providing
technical security for trips by the president, Vice President, and others.
The Secret Service can rarely say, don't go there, so the security model has to make sure an essential protective hygiene level is always in place,
which had a very visible, i.e., non-obscure, outer layer of guys in suits with earpieces in their ears and guns under their suits.
That was backed up by less visible layers of protection,
much of which was in place regardless of the destination.
What I'm getting at is this.
You must maintain a due diligence level of protection,
what I'm calling essential security hygiene,
independent of particular threats or dangerous networks at security conferences.
You can't be prepared for advanced threats without doing at least that.
When you integrate threat intelligence, you can raise the bar through a mix of improved people skills,
stronger security processes, and advanced technology, but you will almost never be
able to tell the business, don't go there. And by the way, if you're in the hotel business,
do tell the business side that if they book conferences of pen testers or vulnerability
researchers, they better invest in going well beyond
that basic essential level.
Thanks for listening.
I'm John Pescatori, Mr. Security Answer Person.
Mr. Security Answer Person with John Pescatori airs the last Tuesday of each month right here on the Cyber Wire.
Send your questions for Mr. Security Answer Person to questions at thecyberwire.com. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hello, Dave.
So big story this week was the DOJ coming at some Chinese spies and accusing the Chinese government of malign schemes.
Give us a breakdown here, Ben.
What's going on?
So early this week, the United States unveiled charges against two Chinese intelligence officers for, and I'm quoting the Washington Post article here,
attempting to subvert a
criminal investigation into a China-based telecommunications company.
The company itself was not revealed in the indictment, but based on anonymous sources
and, frankly, common sense, it is assumed to be Huawei, which has been under investigation
by our Department of Justice since 2019.
The allegations are pretty startling. So 10 individuals who are
Chinese intelligence officers or government officials were working on the Chinese government's
behalf to bribe a U.S. law enforcement agent to share secrets about this investigation.
And this was a way, in the words of FBI Director Christopher Wray, to lie, cheat, and steal their
way into gaining a competitive advantage.
Little did these suspects know
that they were actually speaking to a double agent
who was pretending to be a friendly U.S. intelligence officer
but was actually working on behalf of the Department of Justice.
And they ratted out these individuals.
And as a result, for these individuals
trying to meddle in this criminal investigation,
the Department of Justice has unsealed these indictments. Now, the immediate impact of the
indictments is somewhat questionable. We do not have a good working extradition treaty with China,
so it's not like Chinese government officials are going to be hauled in front of a U.S. judge in the near future.
But I think it can still certainly have an impact.
For one, it shows the capabilities of our own intelligence agencies to root out this type of behavior,
identify it, and try to dissuade other malign actors,
particularly those that might not be closely associated with nation states,
to try to engage in this espionage.
And it's not fun when you're a foreign national and you have an unsealed indictment from the United States Department of Justice.
It means if you go to any country with which we have an extradition treaty, you're risking being sent to the United States for arrest and prosecution.
States for arrest and prosecution. So certainly these individuals, while they might not face immediate criminal consequences, their lives are going to be upended by this decision. I think it
signals a new strategy from this administration to hold the Chinese government accountable for
violating international law and for trying to meddle in this investigation that we've been
undertaking for several years now.
And in that sense, I really think it sends an important message.
Do you suspect that we'll see some sort of overt response from China, or will they stay quiet about
it? I am certainly not in the business of predicting actions on behalf of the People's
Republic of China. That is a fool's errand.
Generally, they do engage in retaliatory practices,
but sometimes they play the long game.
So it's not like they're going to indict
some of our own intelligence officers
in the next several days.
I mean, I think we're engaged in a,
I don't want to say a cold war,
because I think that terminology
has some pretty heavy
connotations, but a long battle with our Chinese adversaries, particularly on trade secrets and
the corrupt practices of intellectual property theft by the Chinese government and its agents.
And so as part of that ongoing conflict, we're certainly prone to all different types of retaliations, whether that's a cyber attack on our government or our businesses or some other type of espionage.
I think that remains to be seen.
This is sort of another shot across the bow in this really ongoing battle between our government and China's government in this realm.
All right. Well, certainly worth keeping an eye on. Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefings at thecyberwire.com. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technology.
Our amazing CyberWire team is Elliot Peltzman,
Brandon Karpf, Eliana White, Puru Prakash,
Liz Irvin, Rachel Gelfand, Tim Nodar,
Joe Kerrigan, Coral Terrio, Maria Vermases,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Catherine Murphy, Janine Daly,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Trey Hester filling in for Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.