Ill-received pranks. SFO breach. Silicon Valley cooperates on contact tracking. COVID-19 disinformation and scams. Notes on ransomware and booter services.
Dave Bittner: [00:00:00] Hey, everybody. It's Dave here, and I have a special favor to ask. If you have the time and you have the inclination, please go out and leave us some reviews for our shows on iTunes or wherever you listen. If you love the CyberWire, if you love "Hacking Humans," if you love "Caveat," just take a couple minutes. Leave us a review. That'll help us find more listeners. We do appreciate it. And as always, thanks for listening.
Dave Bittner: [00:00:28] Vandals prank victims with security researchers' names. San Francisco International discloses compromised networks. Google and Apple cooperate on contact-tracking tech. Chinese disinformation campaigns rely on ad purchases and social media amplification. Phishing attempts and other scams. Notes on ransomware. And police in the Netherlands take down some DDoS-for-hire services.
Dave Bittner: [00:00:58] And now a word from our sponsor ExtraHop, securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:22] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 13, 2020.
Dave Bittner: [00:02:31] Scammers with an evident vendetta against SentinelOne's Vitali Kremez and MalwareHunterTeam are distributing a wiper effective against Windows systems. BleepingComputer calls it a nasty prank, but prank seems too weak here. There's nothing in the report to suggest fun or whimsy, or even forgivable bad judgment or poor taste. The malware is an MBRLocker, and BleepingComputer thinks the wiper was created from tools made available on YouTube and Discord. Neither SentinelOne, Kremez or MalwareHunterTeam have anything to do with the attacks.
Dave Bittner: [00:03:07] San Francisco International Airport disclosed last week that two of its networks, SFOConnect and SFOConstruction, were compromised. Users are advised to change their passwords. That would be, for the most part, airport employees and contractors. The attackers, Forbes writes, were apparently after Windows device credentials.
Dave Bittner: [00:03:29] Turning to some of the ways in which the COVID-19 pandemic is affecting security, two big Silicon Valley rivals are cooperating to enable contact tracking. Apple and Google are engaged in a joint development of Bluetooth tracking functionality that would notify mobile device users if they've been in proximity to someone who's been infected with the coronavirus. As The Wall Street Journal describes it, the contact-tracking system would be enabled by opt-in, and both parties would have to opt-in. It also depends upon self-reporting on the part of infected individuals, which means that for the system to be effective, it would have to attract widespread opt-in as well as inspire a willingness on users' parts to keep their status up to date.
Dave Bittner: [00:04:12] There are, of course, concerns about the possibility of privacy abuses that could follow in the train of public health measures. CNBC has a discussion of how information sharing would need to be limited to avoid this. False positives are one problem, as The Verge points out, but concerns about the implications of entrusting governments with such tools have also arisen. The U.K.'s National Health Service is closely involved with the joint Apple-Google project, according to the Times, and the NHS has also shown, as The Guardian reports, a strong interest in deploying big data tools from Palantir and others against the pandemic.
Dave Bittner: [00:04:50] Motherboard thinks it sees signs that lawful intercept brokers - and NSO Group is named in dispatches here - see the increased government interest in tracking contacts as an opportunity for increased market penetration.
Dave Bittner: [00:05:04] The Wall Street Journal has an overview of the shape, scope and probable objectives of the Chinese government's disinformation campaign concerning the coronavirus pandemic. The efforts' goals seem to be at least threefold. First, deflect any blame for mishandling the epidemic away from the Chinese government. This would include misleading accounts about the epidemic's emergence and subsequent development, as well as disinformation about its recent progress like, for example, the claim that none of Hubei province's 42,000 health care workers were infected with COVID-19, a claim contradicted by earlier Journal reporting. The second objective is to fix any blame there might be for the emergence of the virus somewhere else. That somewhere else has usually been the United States, China's principal international rival. And third, there's a broader effort to portray China as a good international citizen, a reliable and technologically savvy provider of humanitarian aid. A contrast is generally drawn to the United States, with the Americans depicted as the opposite - unreliable, inept and unfeeling. This would be a move toward displacing where it can the U.S. from exercising this kind of soft power.
Dave Bittner: [00:06:19] The methods the Chinese services have adopted depend strongly on state-run media gaining access to social media audiences through advertising, with subsequent amplification in other social media posts. Researchers at the Stanford Internet Observatory told The Wall Street Journal that Beijing has purchased over 200 political ads on Facebook since the end of 2018. More than a third of those, however, were bought within the past two months, and those, for the most part, focused on trying to shape global perception around China's handling of the coronavirus outbreak. China's Facebook political advertising has drawn roughly 45 million views since February 15, which, in volume at least, exceeds the reach that the Internet Research Agency achieved around the U.S. 2016 elections, the Internet Research Agency being, of course, the now-notorious Russian troll farm. Facebook said last October that it would label ads purchased by state media, and Twitter says it's banned advertising by state media. Chinese government operators, however, have proved able to run ads unlabeled on both platforms.
Dave Bittner: [00:07:27] Two techniques are noteworthy. There's a tendency to pick up casual posts along the lines of, you know, I had a funny cold a couple months ago; wonder if it was coronavirus. These are amplified to suggest that the virus had its origins outside of China. There's also a tendency to communicate by insinuation, so the claim that COVID-19 is the product of a U.S. biowar program is typically made not by assertion but by posing a question. Was COVID-19 an American weapon? Inquiring minds want to know. Shouldn't this be investigated? We're not saying it's so, but it sure sounds suspicious, and so on. Such conspiracy mongering gains traction with repetition. The intended audience is Southeast Asia, Eastern Europe and Africa. Much of the Chinese disinformation has been picked up opportunistically by Russian and Iranian services.
Dave Bittner: [00:08:20] The U.S. FBI has been hard at work responding to the increased volume of malicious online activity that's followed the COVID-19 pandemic. Herb Stapleton is Cyber Division section chief at the FBI.
Herb Stapleton: [00:08:34] What we've seen so far is really cyber actors exploiting the COVID-19 pandemic through a variety of malicious activities and really targeting a wide range of entities in both the public and private sector. So some of the things that we're most concerned about include some of the typical cyber schemes that you would see or scams that you would see, but with a COVID-19 kind of pretext or flavor to them, so work-from-home kinds of scams, impersonation scams, business email compromise - those kinds of things. And the COVID-19 sort of theme comes in when the malicious actors will sort of try to impersonate maybe a government entity, like the CDC, or a health care-related entity, like the World Health Organization, to try to sort of trick people into believing that they're getting either official information about the COVID-19 pandemic or, you know, entitled to some type of medical treatment or something like that. But basically, it turns out to be really a scheme designed to steal personal information or money or even to deploy malware onto somebody's devices or system.
Dave Bittner: [00:09:47] Now, for the folks in our audience who are primarily cybersecurity professionals, what sort of actions can they take to assist the efforts that you all are making at the FBI to fight these sorts of things?
Herb Stapleton: [00:09:58] You know, I think among cybersecurity professionals, a little added vigilance is appropriate. You know, some of the things that we are concerned about are with the increase in telework, we also see an increase in people using telework-type software and applications, remote desktop type of applications, and those create added vulnerabilities. So, really, being extra vigilant for potential exploitation of those types of legitimate software tools, and also just making sure that the employees have an awareness of what could be waiting out there. So, you know, software from untrusted sources - we worry about malicious actors potentially using legitimate-looking telework software that they might offer at a free or reduced price that, ultimately, they would use to gain access to sensitive information or to send phishing links that are predicated to look like some type of legitimate telework software tool.
Dave Bittner: [00:10:59] Now, in terms of reporting to you all there at your agency, is it - the FBI's Internet Crime Complaint Center - is that the best avenue to send reports?
Herb Stapleton: [00:11:10] So we try to provide, you know, multiple ways that the public and companies out there can get in touch with the FBI. So the Internet Crime Complaint Center is certainly one of the best avenues to report these types of internet fraud scams or even cyber - suspected cyber intrusions. We also encourage companies to contact our local FBI field office as well. If, you know, if they have an immediate situation or need some immediate help, calling the FBI field office is also a great way to get in touch with the FBI and get some assistance.
Dave Bittner: [00:11:42] That's Herb Stapleton from the Federal Bureau of Investigation.
Dave Bittner: [00:11:46] Crunchbase reports that startups have been hit hard by the pandemic, with many of them forced to lay off workers. Big Tech, however, is hiring, and they're looking, in particular, for cybersecurity talent. Facebook alone, The Wall Street Journal reports, plans to hire 10,000 people during 2020. And the Silicon Valley Business Journal reports that Big Tech is also taking some measures to sustain their small business supply chain.
Dave Bittner: [00:12:13] Phishing attacks and phone scams continue to use COVID-19 fears as bait, the South Florida Times reports, and that's no surprise. Other criminal activity concentrates on the newly expanded remote work attack surface, with Zoom representing a favorite avenue of approach. Forbes says that Zoom-related threats have increased 2,000% since the pandemic began to force social distancing and telework. There's a thriving black market in Zoom vulnerabilities as criminals race against the teleconferencing provider's efforts to upgrade its security.
Dave Bittner: [00:12:45] DoppelPaymer ransomware operators have released documents belonging to Boeing, Lockheed Martin and SpaceX. Those three companies were not themselves directly infected with ransomware. Rather, it was a subcontractor, Visser Precision, who suffered infection. When Visser declined to pay the ransom, The Register writes, the gang began releasing stolen files. The incident illustrates two noteworthy trends, the convergence of ransomware with data theft and the extent to which organizations are exposed to significant third-party risk.
Dave Bittner: [00:13:18] Another ransomware operator, the gang behind Sodinokibi, says, according to BleepingComputer, that they'll abandon Bitcoin and adopt Monero as their currency of choice. A Europol statement that Monero is impossible to track seems to have prompted the decision.
Dave Bittner: [00:13:35] Finally, HackRead reports that Dutch police have taken down 15 DDoS-for-hire services. And in addition to knocking the booters offline, police in the Netherlands have made at least one arrest. A 19-year-old man was arrested on charges related to a distributed denial-of-service attack knocking out two Dutch government websites for several hours on March 19.
Dave Bittner: [00:14:02] Hey, everybody. Dave here. And I want to tell you about CyberWire's new subscription program CyberWire Pro. It's designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself, hey, that sounds great and something my entire organization can benefit from. We think so, too. With a CyberWire Pro Enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape. Save some money and look like a hero at the same time. We've got great discounts for government, commercial teams and academia, too. To learn more, visit thecyberwire.com/pro and click on the Contact Us link in the Enterprise box. That's thecyberwire.com/pro, and then click Contact Us in the Enterprise box and we will help you become that office hero.
Dave Bittner: [00:15:07] And I'm pleased to be joined once again by Andrea Little Limbago. Andrea, it's always great to have you back. I wanted to explore this notion that we're seeing more and more blackouts on the internet, why that's happening and what the implications of that are. Can you give us some insights?
Andrea Little Limbago: [00:15:24] Sure. What is happening, and it's really becoming a global phenomenon, is the use of governments basically controlling either sections of the internet within their country or countrywide blackouts. And it's in response to a variety of both domestic and international issues. A good example is Iran using internet blackouts during protests to help try and prevent greater congregation amongst - and communication from the protesters. And so you see that going on there, and that - you see the attempts for various kinds of internet blackouts, you know, across the globe for other kinds of protests. But then you see in India, which has actually just ended one of the longest blackouts of a democracy - I think it probably was the longest internet blackout of a democracy - in the Kashmir region. And again, it's an area, you know, under historic instability, historically remains a source of tension between Pakistan and India. And so, you know, leveraging what they could for control to, again, suppress any kind of communication, access to information. And just, it's greater control over what's going on on the ground amongst the population. And I think that in the case of India, I think the issue should be one that is particularly troubling because it is, you know, within a democracy and because it went on for so long.
Andrea Little Limbago: [00:16:39] You imagine how much of the economics depends on it, how much of our lives depend on the internet for banking, for shopping, for, you know, ordering a taxi and so many different components. And even in areas that aren't as deeply penetrated with the internet, there still is a huge reliance on it, and so it has an economic impact, has a social impact. And, really, at the end of the day, it's what the governments are using as one of their many tools to try and control what may be going on on the ground.
Dave Bittner: [00:17:07] What sorts of workarounds are available to people? You know, I think of in days past, when there would be news blackouts, you know, people could - you could put up a satellite dish and, you know, get the BBC or something like that, you know. So that was something that crossed borders. Are there similar types of ways that folks can work around these blackouts?
Andrea Little Limbago: [00:17:29] Yeah. And this is where we're seeing some interesting, you know, innovation, I guess, from the people on the ground. And it could be anything from leveraging more. So Bluetooth - you know, actually, there's an interesting case in Hong Kong of a Bluetooth app that allowed communications to occur. And so you can see, you know, something along those lines. In certain cases, they might be able to work around and move to different areas of the country then to get VPN access. And so there's sort of the combination of a technical and a physical real-world combination of innovations that they're trying to do. And, yeah, there are different cases of where people did go to, like, as far - as close to a border of another country to get access to their internet to then be able to try and communicate. And so it just - you know, it's interesting to see.
Andrea Little Limbago: [00:18:14] But in many cases, you know, a lot of folks don't have a solution, and they are in the dark, or they're mainly in the dark. And so we will see what happens with it. In many cases, they're fairly short-lived. And so, you know, the incentive to try and figure out, you know, a workaround for it isn't quite there yet. In other cases, like the Indian case, where it is so far-reaching and so impactful across the society - I think in Hong Kong is another case with some of the protests, where it really does spark innovation on the ground to try and find a workaround. But, you know, again, it's one of those things that it's really, really hard. And you don't really truly realize how dependent you are on the internet until it's a complete blackout.
Dave Bittner: [00:18:53] Yeah, it strikes me that there must be some sort of balance there because you don't want to necessarily, you know, tank the economy because banking cannot be done, because commerce cannot be done. I would imagine there's a lot of pushback there from your regular citizens who are just trying to get their business done day to day.
Andrea Little Limbago: [00:19:15] Yeah. No, exactly. You know, an interesting case that, you know, wasn't necessarily an internet shutdown, but when Russia tried to block Telegram, they accidentally blocked - I can't remember - you know, several dozen IP addresses that then ended up basically shutting down a range of grocery shopping, taxi services, research portals from the universities. So it basically had a huge economic impact across the country, and that was just trying to stop one app. And so you imagine what would happen in trying an entire internet blackout.
Andrea Little Limbago: [00:19:43] You know, it does have an economic effect. And so, again, I think for governments, they are weighing the cost-benefit of what may happen through it. And I think for the last few years, there have been at least, you know, a dozen different internet blackouts just on the African continent alone, and those numbers keep, you know, increasing. And so to date, it seems that the sort of the cost-benefit analysis of it is very much so in favor of doing the blackouts for a short period of time despite what some economic ramifications might be.
Dave Bittner: [00:20:11] All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: [00:20:14] All right. Thank you.
Dave Bittner: [00:20:20] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. It'll also make your smile bright and shiny. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:20:41] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:53] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest cybersecurity news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:21:20] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.