Huawei gets a RICO prosecution. Details on DPRK Hidden Cobra Trojans. Google takes down Chrome malvertising network. Run DNC. Hacker madness. Happy St. Valentine’s Day.
Dave Bittner: [00:00:03] The US indicts Huawei for racketeering. The FBI and CISA release details on malware used by North Korea's Hidden Cobra. Iran attributes last week's DDoS attack to the US. Google takes down a big malvertising and click-fraud network that exploited Chrome extensions. Reports surface of DNC involvement in IowaReporterApp. Not all official advice is necessarily good advice. And if things don't work out with your object of affection, don't spy on their social media accounts.
Dave Bittner: [00:00:39] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And are you attending RSA Conference 2020 in San Francisco, February 24 through the 28? Well, don't forget to stop by Booth 743 to meet the Recorded Future team in person and pick up a free copy of their new book, "The Threat Intelligence Handbook." Come on by and say hello. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:49] Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment; insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:14] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 14, 2020.
Dave Bittner: [00:02:23] First, a Happy St. Valentine's Day to lovebirds everywhere. We trust you're shopping safely for candy and flowers and that you're sending your love letters by secure means. Good for you - because what the world needs now is love, sweet love.
Dave Bittner: [00:02:38] Of course, it's not all hearts and flowers everywhere and lately, especially, not in Shenzhen and Washington. The US Justice Department has sent a new mash note to Huawei in the form of a sixteen-count superseding RICO indictment against Huawei. TechCrunch calls the sixteen-charge indictment sprawling. RICO is the acronym by which the Racketeering Influenced and Corrupt Actions Act is commonly known in the US It's a federal statute that dates to 1970 and that has been used extensively in mob prosecutions.
Dave Bittner: [00:03:11] The US alleges a decade-long conspiracy to steal the intellectual property of US firms. The defendants include many Huawei companies and subsidiaries, as well as Wanzhou Meng. Ms Meng, you'll recall, is the company's CFO who's currently in Vancouver, British Columbia, fighting extradition to the US.
Dave Bittner: [00:03:31] The Department of Justice says it's found decades-long efforts by Huawei and several of its subsidiaries both in the US and in the People's Republic of China to misappropriate intellectual property, including from six US technology companies, in an effort to grow and operate Huawei's business. Huawei calls the charges baseless and another move by the US to irrevocably damage the company. The company says it expects to prevail in court. Lawfare points out that Huawei has shifted its position a bit on the Wall Street Journal's report that the company's devices were backdoored. They've moved from saying we can't intercept traffic to we could intercept traffic, but someone would notice if we did.
Dave Bittner: [00:04:15] The FBI and CISA have released Malware Analysis Reports detailing malware used by North Korea's Hidden Cobra, according to BleepingComputer. The malware strains included in the report are BISTROMATH, SLICKSHOES, CROWDEDFLOUNDER, HOTCROISSANT, ARTFULPIE, BUFFETLINE and HOPLIGHT. All of them are Trojans.
Dave Bittner: [00:04:37] Iran, which had been slow to attribute blame for last weekend's distributed denial-of-service attack has now decided to call the incident an American operation, Tasnim reports. How Tehran knows it was Washington isn't specified. The official statements emphasize the success of Iran's cyberdefenses.
Dave Bittner: [00:04:56] Researchers at Cisco's Duo worked with Google to help Mountain View take down more than 500 malicious extensions from its store. The bad Chrome extensions were part of an extensive malvertising and click-fraud network.
Dave Bittner: [00:05:10] Members of the Iowa Democratic Party have dropped a dime on the national organization over the badly botched implementation of the IowaReporterApp during last week's caucus. Yahoo News received a copy of the contract between Shadow, Inc. and the Iowa party that required Shadow to deliver its code to the Democratic National Committee for testing. Yahoo also obtained emails that seem to indicate that senior DNC officials were involved in drafting the contract. The DNC disputes any inference that it was involved in developing the app. Their involvement, a spokesperson says, was confined to an offer of security assistance.
Dave Bittner: [00:05:50] Not all official advice, alas, is always useful or sometimes even well-informed. Consider, if you will, a poster being circulated in the UK to advise British parents on how to see whether their little nippers are staying safe online. The West Midlands Regional Organised Crime Unit's poster says that if you see Tor, Kali Linux, Discord, Metasploit or a virtual machine on your child's device, you should call the cops. The Register says the poster is all bollocks, which we're not sure is a bad word or not but, at any rate, we think means hogwash or baloney or something like that.
Dave Bittner: [00:06:27] At any rate, the WMROCU says that if you find any of these signs of children hacking, let them know so they can engage them into positive diversions, and positive diversions are exactly what the youth of Birmingham need. So the poster is a bit like a minor version of a digital-age reefer madness. The UK's National Crime Authority, whose logo appears on the poster, tweeted its own displeasure - quote "The NCA was not involved in the production or release of this poster. There are many tools which tech-savvy children use, some of which can be used for both legal and illegal purposes, so it is vital that parents and children know how these tools can be used safely," end quote.
Dave Bittner: [00:07:09] And finally, to return to a St. Valentine's Day theme, let us all remember not to go crazy if things don't work out romancewise. Sometimes they don't. Sometimes, well, they're just not that into you. To stay with the mother country for a bit, The Mirror reports, to the UK's shame, that almost 1 in 5 Brits, as the Mirror calls them, have logged on to their ex's social media accounts to keep tabs on them. To this we can only say, how dare you, sir? For shame, madam. Just let it go. And if you live in the West Midlands and you feel yourself moved to snoop on the one that got away, well, just call the WMROCU and ask them to help you engage into positive diversions.
Dave Bittner: [00:08:01] And now a word from our sponsor, ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:08:54] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's always great to have you back. You all recently published some information up on the Talos blog about JhoneRAT, which is a cloud-based RAT that you all are tracking. Take us through what you're looking at here.
Craig Williams: [00:09:12] Well, so this is actually one of the more interesting RATs we see. You know, I wouldn't say the methodology is unique, but it is reasonably rare still. But it's one of those RATs that basically uses the cloud to distribute itself. You know, it uses Google Docs and things like that. But it actually checks the keyboard layout of victims before the installation path continues, which, you know, it's not rare, but it is not something you see every single day. And especially when you take into account the fact that this targeted basically only keyboard layouts in the Middle East, it did make it pop up on our radar as something to look into.
Dave Bittner: [00:09:52] So just for background, what is the purpose of something like this looking at keyboard layouts?
Craig Williams: [00:09:58] Well, so if you're a bad guy and maybe, for whatever reason, you only want to target users in a certain region. So, you know, we'll see this kind of technique deployed if they want to target, let's say, utility providers in a certain country. Like, maybe they just want billing accounts for, I don't know, let's say a Middle Eastern utility or Middle Eastern banks or even something as simple and mundane as, like, cable providers, right? Lots of different things the adversaries can target, and they may actually be combining different sources of intel, right?
Craig Williams: [00:10:28] So maybe they want credentials for a certain internet provider because they have the ability to go into that site and attempt those passwords without being detected. So they assume that if they can compromise those accounts, they'll go completely undetected. And alternatively, maybe they want to target banks because they believe that they found a vulnerability in the way that the banking system is laid out or whatever. So it's not unusual to see this type of activity, but seeing it so specifically targeted in the Middle East is definitely something that made it pop up on our radar.
Dave Bittner: [00:10:57] And so reading between the lines then, what does that tell you about what they're after here?
Craig Williams: [00:11:02] Well, in this case, we don't have any exact information on what they're after. You know, obviously, they wanted to get systems in the Middle East, specifically in Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco and countries around there. But we don't know specifically from those countries what they want. And so that's why it's kind of one of those situations where there's a lot of possibilities, and there are bounds on those possibilities. But it's still kind of a gray area as to exactly what the attackers' eventual plan will be.
Dave Bittner: [00:11:33] Are there any specific technical details that are interesting when it comes to JhoneRAT?
Craig Williams: [00:11:37] Absolutely. So this one had some really advanced anti-debugging features. You know, one of the things that jumped out on my radar that I thought was extremely unusual was the fact that it seemed to target Python decompilers specifically, right? So it's - you know, it's relatively unusual for bad guys to go through the trouble of distributing something through a cloud provider like Google Drive, right? That's not every day. It's not rare. But when you combine that with the regionality and you combine that with the Python anti-debugging, it really made this one interesting.
Craig Williams: [00:12:12] And to give you an example specifically of what we mean here, if you were to take this particular sample and run it through a tool like uncompyle - and by the way, that's spelled uncompyle, you know, because it's clever.
Dave Bittner: [00:12:24] Of course it is.
Craig Williams: [00:12:24] (Laughter) It actually would change the if statement to specify not any of these countries as opposed to any of these countries in the conditional.
Dave Bittner: [00:12:36] Huh.
Craig Williams: [00:12:37] It's a very subtle response, but when I was discussing this with my researchers, Paul and Vitor (ph), they were puzzled because they both came up with two different answers (laughter). And so you can imagine two people comparing notes remotely when one's like, it's X. And the other's like, no, it specifically says not X. So a bit of confusing fun for us to play with. And so there were little things like that that really made this jump out for us because that's relatively unusual, you know? And these set of different unusual circumstances really made it highlight itself on our radar. And it's one of those threats that we're going to end up tracking probably fairly closely as a result just to see what the attacker is up to next.
Dave Bittner: [00:13:19] And what are the recommendations to protect yourself?
Craig Williams: [00:13:21] Well, obviously, it comes down to the fact that you shouldn't be opening documents or any file, really, from strange sources. And even if you do see something coming from a known source, if it's an attachment or something that's not expected, you know, go ahead and reach out. You know, send them a text message, pick the phone, and make sure that they intended to send you that because the reality is, these days, we see lots of threats that go through emails, that go through existing conversations, that go through existing contacts and will carry out a conversation under the guise of a previously reiterated conversation or, you know, just simply spamming out to all your contacts along with a malicious attachment.
Dave Bittner: [00:14:02] All right. Well, the blog post just called JhoneRAT: Cloud based python RAT targeting Middle Eastern countries. Craig Williams, thanks for joining us.
Craig Williams: [00:14:10] Thank you.
Dave Bittner: [00:14:19] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single-sign-on, password management and multifactor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multifactor authentication, securely authenticate into your work using biometrics - such as fingerprint or face - deliver a passwordless login experience for your employees while securing every password in use through Enterprise password management, and gain an integrated view across all access and authentication tasks and know which employees are accessing what, when and where. To learn more, visit lastpass.com. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:15:42] My guest today is Shuvo Chatterjee. He's product manager at Google, in charge of Advanced Protection. Shuvo's team at Google recently introduced new ways to make use of mobile devices with some of their advance protection security techniques. In addition to that, our conversation explores the importance of reducing friction for users when it comes to the adoption and day-to-day use of sophisticated security tools.
Shuvo Chatterjee: [00:16:06] So Advance Protection is Google's strongest offering for security for anyone's accounts. So it can be consumer accounts, but it can also be your C-suite account as well. And so what Advanced Protection provides is, first, it's an enforcement of security keys, so that you have to have a security key in order to authenticate to your device or to your computer or wherever you're logging in.
Shuvo Chatterjee: [00:16:29] Additionally, we have other protections that we provide as well. So some of these are behind the scenes. We do a lot of things like malware scanning for attachments and various risk tolerances for account recovery. And, you know, last year, we announced for Chrome users who were in Advanced Protection that they would start getting stricter verdicts about whether or not they should really be downloading a file that they're trying to download. And there's various other things that we're doing, and there's more to be announced.
Shuvo Chatterjee: [00:17:00] But the general idea is that Advanced Protection is constantly evolving as the threat landscape evolves. And so if you are a high-risk individual, whether you're a politician, journalist, activist, whatever your role may be, that this is the simplest way by which you can protect your digital life with Google.
Dave Bittner: [00:17:20] And you've got some new ways to do that. Can you take us through what additional measures you've enabled here?
Shuvo Chatterjee: [00:17:26] Yeah, absolutely. So one of the things that we noticed is, you know, taking a look at - we commissioned this Harris Poll study of 500 high-risk users, you know, across various professions and taking a look at how many of them have been attacked, and of those who have been attacked, how many have actually taken any kind of necessary steps? And so the vast majority have had some kind of phishing attack targeted towards them. I think it was something around 74% that we found. But at the same time, the vast majority haven't taken any action. Like, they haven't enrolled in 2SV or, you know, two-step verification or anything else like that.
Shuvo Chatterjee: [00:18:03] And so we've done a lot of user studies, and especially around Advanced Protection, to understand, what are the barriers to entry? And while we feel as, you know, these physical security keys are great in terms of what they do for phishing resistance, it's still this thing that a lot of people don't understand. And so with our latest update, what we did was now the device in your pocket, which is your phone, can act as your security key. And once you have that enabled, it's a one-click enrollment into Advanced Protection.
Shuvo Chatterjee: [00:18:35] So Android devices we announced last year can act as a security key. Part of this announcement is now we are letting iPhones as well act as a security key. And to do that, you know, a user downloads Google's Smart Lock app, and that takes care of the necessary pieces on your phone, where, you know, unlike on Android where we control the entire experience, on iOS, we have to create an app to get to where we want to be. But that way you have that communication from Chrome to your phone to verify you are in proximity, it's you who's actually trying to log in. And you get the same level of protection as you would with a physical security key.
Dave Bittner: [00:19:18] Now, the research that you all have done has shown that when people are using these sorts of methods that you offer with APP, I mean, the level of security goes way up.
Shuvo Chatterjee: [00:19:30] Yeah, absolutely. And even taking a step back from Advance Protection, just enabling basic, you know, account security mechanisms such as basic two-step verification, it can block, like, upwards of 90% of automated bulk phishing attacks and a majority of targeted attacks. What Advanced Protection helps with is the super-targeted highly motivated adversary, those levels of attack. But people can take these simple steps as, you know, enrolling in 2SV as a very first step to really reduce their surface area of attack.
Dave Bittner: [00:20:05] And I suppose if you're someone who falls into that category, chances are you probably know it or someone's telling you that you are.
Shuvo Chatterjee: [00:20:13] For the most part, we find that most people understand that they are higher-risk. But the problem that we see oftentimes - so, like, you know, this year being an election year, a lot of campaigns might be thinking, OK, it's just the principal or maybe, you know, top staffers who are targets. But in reality, it's anyone who would have access to sensitive data. It could be not only on the campaign's email domain but also your personal, right? Like, your personal account ends up being this place by which the rest of your digital life could fall like dominoes.
Shuvo Chatterjee: [00:20:45] And so protecting both personal accounts and your enterprise account for everyone who is associated with things that are highly sensitive, that's a really important step. And I think people also discount that, you know, family members could also be people who are under attack from these highly motivated players because that's an entry point. And through that entry point, they can have lateral movement and try to get to the final goal, which might be the principal.
Dave Bittner: [00:21:18] Yeah, it's a really interesting insight. I mean, I think a lot of folks - I think it's natural to think that when I leave the office and I head home that a lot of those concerns - I leave them at the office, but not necessarily the case. Your home network could be a way that people try to come at you.
Shuvo Chatterjee: [00:21:34] Your home network can be. It could be your connected devices. It could be your personal account that is also the recovery email for your bank account or for your social media or for, you know, various things are tied together. And oftentimes the thing that ties all these things together is that personal account. And people sometimes discount how important it is to protect that account. We're always listening to user feedback, and we've heard that people have said that they've had a hard time with security keys or that, you know, it's been difficult to enroll in.
Shuvo Chatterjee: [00:22:06] And what we are striving to do is, you know, strike that balance between usability and security, so that we can offer our strongest level of security by making that experience better over time so that people aren't having to choose between, well, this is too difficult and so I'm just not going to sign up for it, which at the end of the day actually puts them in a worse position. So we're trying to bridge that gap.
Dave Bittner: [00:22:30] That's Shuvo Chatterjee from Google.
Dave Bittner: [00:22:37] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com And don't forget you can get the daily briefing as an Alexa flash briefing, too.
Dave Bittner: [00:22:48] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:23:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Dave Bittner: [00:23:09] Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here next week.