ARCHER incident. Contact tracing smishing. Malware vs. air gaps. A surcharge for deletion. Anti-creepware. 5G coronavirus delusions.

Dave Bittner: [00:00:03] ARCHER goes offline after a security incident. Suspicions of espionage against COVID-19 research. Scammers smish victims with bogus contact tracing messages. Ramsay malware goes after air-gapped systems. Ako ransomware now places a surcharge on deletion of stolen data. Google boots creepware apps with the help of the CreepRank algorithm. Johannes Ullrich explains that when it comes to malicious binaries bypassing anti-malware filters, size matters. Our guest is Pat Craven, director of the Center for Cyber safety and Education on the security of social media apps. And kooky 5G conspiracists go after cell towers in the U.S. 

Dave Bittner: [00:00:49]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show. 

Dave Bittner: [00:01:58]  Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud. To protect the latest like containers, to empower your change-makers like developers and to enable business accelerators like your teams - cloud security that accelerates business. It's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:21]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 14, 2020. 

Dave Bittner: [00:02:30]  The UK-based ARCHER academic supercomputing system has sustained what the network calls a security exploitation that led its administrators to rewrite passwords and SSH keys. They also took ARCHER offline while the incident was investigated, the Register reports. ARCHER's managers have warned that computers in Europe may also be affected and that users should not expect access to be restored before tomorrow at the earliest. The Register says that knowledgeable speculation points out that ARCHER is an obvious resource for research work by computational biologists as well as those modeling the potential further spread of the novel coronavirus, which also makes it an obvious target for espionage. 

Dave Bittner: [00:03:15]  Yesterday's joint statement by the US FBI and CISA warning that Chinese intelligence services are engaged in a far-reaching campaign to collect against COVID-19 research has elicited the foreseeable response from officials in the People's Republic. "It's slander," Reuters quotes a Foreign Ministry spokesman as saying. Spokesman Zhao Lijian also said that any interference with research ought to be condemned. 

Dave Bittner: [00:03:41]  The joint warning is interesting for the way the bureau and CISA connect espionage with damage to the research itself. Quote, "The potential theft of this information jeopardizes the delivery of secure, effective and efficient treatment options," end quote. So the risk appears to be more than the usual competitive threat to intellectual property that the U.S. has typically complained of in connection with Chinese espionage. 

Dave Bittner: [00:04:07]  The NHSX-sponsored contact tracing app the scammers are mimicking is now undergoing a closed beta trial on the Isle of Wight. Gizmodo says that the Isle's MP, Bob Seely, has offered a generally optimistic appraisal of how the app's doing. He notes that it's, quote, "throwing up lots of really good information," end quote. Of course, it's only to be expected that any application developed and deployed under emergency conditions would experience problems, and this one is no different. Preliminary reports from users complain that the app is a battery hog and that the permissions it asks for are confusing. Researchers who've looked at the system say that they've found other issues, in particular problems with iOS-Android interoperability. 

Dave Bittner: [00:04:52]  ESET has described Ramsay, an attack designed to exploit air-gapped computers. It's not that Ramsay defeats air-gapping in some spooky or exotic way. Instead, it concentrates on other infection vectors, like removable media. ZDNet it says that Ramsay appears to collect Word, PDF and ZIP documents in a hidden folder, where they're staged for later exfiltration. Few victims have so far been identified, which suggests to ESET that Ramsay remains in a relatively early stage of development. There's no attribution, but Ramsay appears to share artifacts with DarkHotel's Retro malware. 

Dave Bittner: [00:05:30]  Ransomware gangs routinely steal victims' data to gain additional leverage. BleepingComputer reports that one gang, the operators of Ako, are now also imposing a surcharge for deleting their copies of stolen files. 

Dave Bittner: [00:05:45]  If you've got school-aged kids, chances are they are home from school these days thanks to the COVID 19 shutdowns. And if you're listening to this podcast, chances are those same kids have access to a variety of online social media services, which they are using to keep in touch with their friends and classmates during the shutdown. And all that increased time spent online opens up the potential for bad things to happen. Pat Craven is director of the Center for Cyber Safety and Education. 

Pat Craven: [00:06:15]  What's amazing, Dave, is that it's possible for our kids to actually spend more time online. You know, who thought that was going to be the situation? 

Dave Bittner: [00:06:23]  (Laughter). 

Pat Craven: [00:06:23]  And now, practically by law, they're supposed to be spending more time online. And so it's just - it's ramped up tremendously, all the challenges from a safety standpoint with our children and what they're doing. And parents are working from home, and they're busy, and they're trying to teach kids and home-school. And there's less - even less supervision than we had in - just months ago. So it's been a pretty fascinating thing and a pretty dangerous - the kids are utilizing - and adults as well. We're utilizing different apps, different ways to connect and to be social with people and try to have fun. And there comes risks with all of that. 

Dave Bittner: [00:07:05]  What about - you know, as people have had to go home and start doing their work from home and using their home networks for business uses, what's the concern of your kids having some of these apps on their devices on a network that's shared with the work you're doing for business? 

Pat Craven: [00:07:21]  Well, that's a great point and something we try to really stress with people, is that - yes, you're now sitting at home, and you're working on potentially confidential materials for the office, and you're on that same network, on that same Wi-Fi that the kids are out exploring the internet with. And that opens you up to so many more vulnerabilities that we don't think about, that - we think of everything being separate, but they're all running through that same router, through that same Wi-Fi. And any kind of breach could come back and actually get into you, into your laptop, and then you eventually even send a document that could be corrupted to to somebody in accounting. And it just - the line goes down and down. So it's something that we really have to think about tremendously. 

Dave Bittner: [00:08:08]  Is it reasonable to do occasional audits of these devices, to go through and just check through the apps and see what permissions have been granted and just do a little reality check there? 

Pat Craven: [00:08:19]  Absolutely. Either - even if you've done it at the beginning, if you've gone in and set it to private or that they can't just have anybody part of the conversation, that it's friends-only, go back and check that. There's constant updates to these apps. And also, too, of course, the child might switch something, thinking they're making it better and easier to use, and then they have allowed more vulnerabilities. So it is. It is something that we need to do with all of the different platforms that the kids are on or even ourselves, again, that - you know, that we're using all these different apps for social stuff or for work even, to make sure that our settings haven't been changed or adjusted or a new update came down that set things back to default. So we have to make sure of that. 

Dave Bittner: [00:09:11]  That's Pat Craven from the Center for Cyber Safety and Education. 

Dave Bittner: [00:09:16]  According to ZDNet, Google has used an algorithm, CreepRank, developed by a university industry team to identify 813 creepware apps for removal from the Play Store. Creepware is similar to spyware or stalkerware only, generally, less aggressive. ZDNet explains that it's used to stalk, harass, defraud or threaten another person, directly or indirectly. 

Dave Bittner: [00:09:41]  And finally, the luddites and weirdos who've been trashing cell towers in the UK, Belgium and the Netherlands because they've heard that 5G causes coronavirus have inspired their conspiracy-minded soulmates in the States to take similar action. And all we can do is wonder why it took everybody so long. There have now been incidents reported in the US And The Washington Post says the US Department of Homeland Security is working on an advisory and a plan to help telcos protect their equipment. 

Dave Bittner: [00:10:13]  The Post mentions disinformation in their coverage, but this seems likelier to be a case of misinformation. It also provides a discouraging case study of rumor convergence, the strange bedfellows passionate commitment to a cause can make, the reach of influencers and the sad futility of much rumor control. 

Dave Bittner: [00:10:33]  One wonders how much the use of virus for both a class of pathogen and a kind of malware have contributed to the popular mania. The Post quotes Erik van Rongen of the International Commission on Non-Ionizing Radiation Protection as saying, quote, "It is physically impossible that electromagnetic fields transfer particles like viruses," end quote. Needless to say, the activists whacking cell towers know better. Of course, it stands to reason viruses could travel that way. Do your own research, sheeple. And so on. 

Dave Bittner: [00:11:07]  Some of the attacks, sources say, may have been acts of ecotage, taking opportunistic advantage of the pandemic to damage counter-to-nature infrastructure. And there's been no shortage of celebrity influencers sharing the dope that 5G causes COVID-19. The British light-welterweight boxer and philanthropist Amir Khan, the singer Anne-Marie - responsible for "Ciao Adios" and "Rockabye," among other hits - the actor Woody Harrelson - known for "Cheers" and "Zombieland" - have been particularly mentioned in dispatches. For our part, we're going with Mr. van Rongen over Mr. Harrelson. It's dismaying, if not unexpected, to see how the impulse to do damage like this can be well beyond the reach of rumor control. The Federal Emergency Management Agency and others have tried but with apparent indifferent success - alas. 

Dave Bittner: [00:12:06]  And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Security is essential for a remote workforce. LastPass Identity helps make stronger security seamless through integrated single sign-on, password management and multifactor authentication. LastPass Identity enables remote teams to increase security. LastPass can help prevent against the uptick in cyberattacks targeting remote workers through biometric authentication across apps, workstations and VPNs for an additional layer of security across all critical devices. It can help manage user access. Regardless of where or how employees need access, LastPass ensures employees always have secure access to their work applications through single sign-on and password management. It helps your employees securely share. LastPass enables remote employees to securely share passwords across teams in order to securely collaborate and stay on top of critical projects. And it helps maintain control. LastPass enables IT to remain in complete control over which employees are accessing which resources no matter where they're working from. With LastPass Identity, you can keep your remote workforce secure and connected. Visit lastpass.com to learn more. That's lastpass.com. And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:13:48]  And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute. He's also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. Something you all have been tracking is the use of very large malicious binaries to bypass some anti-malware filters. What's going on here? 

Johannes Ullrich: [00:14:09]  Yes. So when you're looking at most malware, it's awfully compact. Like, you know, it's a little Visual Basic macro or something like this that then downloads maybe some other little bit of malware. But we're often talking about, you know, a couple megabytes only. Now what we ran into was a malicious binary that actually was a few hundred megabytes in size. And we're wondering why, you know? Why would a hacker bother with this? Because that's going to get stuck in mail filters, for example. You know, most mail systems will not deal with binaries like this. Now this was downloaded via HDP, but even then, often, large downloads like this fail. But the advantage of these large downloads is that a lot of anti-malware systems have essentially an upper limit to what's the largest piece of a binary software they're going to inspect. And they're probably going to bypass that limit by - essentially just in this case - adding some kid's drawings to the binary. 

Dave Bittner: [00:15:18]  Right, just some junk to just bulk up the size of the file. 

Johannes Ullrich: [00:15:22]  Yeah. Like, what happened in this case was they pulled it out. It was - it looked like kid's drawings. Could be - well, maybe the malware author wasn't really the greatest artist. But... 

0:15:30:(LAUGHTER) 

Johannes Ullrich: [00:15:33]  So some scribbles, kind of... 

Dave Bittner: [00:15:34]  Who are we to judge, right? (Laughter). 

Johannes Ullrich: [00:15:36]  Some faces you could make out and such, but that's basically what made up the bulk of this binary. And of course, you know, any kind of anti-malware, they're looking just at that additional code, but probably not considered malicious. And that wasn't really the malicious part. The malicious part was, you know, the usual malware code - I think it downloaded or something like this - that there was a patch there. 

Dave Bittner: [00:16:00]  You know, it reminds me of just in day-to-day use of things like Google Drive. You know, if you have a file that you're storing there and you want to download it, if it's larger than a certain size, Google Drive will pop up and say, you know, hey, this is too large for our usual virus scan. Do you want to grab it anyway? And - well, yeah, I want to grab it anyway. I need that file. 

Johannes Ullrich: [00:16:23]  Yeah, and there isn't really another option. Like, it's not that you can say, hey, it's large. Let me wait a couple minutes until you've scanned it. That's not an option here. It's really just, you know, do you want to get work done, or do you not want to get work done? That's sort of how that dialogue really looks to the user. 

Dave Bittner: [00:16:38]  Yeah. Do you feel lucky... 

Johannes Ullrich: [00:16:40]  Yeah. (Laughter). 

Dave Bittner: [00:16:41]  ...Which is, I guess, ironic coming from Google. Yeah. 

Johannes Ullrich: [00:16:43]  Yeah. And of course, you know, Google is a trusted site in some ways. So you - you know, you consider this more like a document coming from Google in this case versus something coming from an untrusted source. 

Dave Bittner: [00:16:55]  Yeah. Now they were not only using large malicious binaries, but you were also seeing corrupt documents as well. 

Johannes Ullrich: [00:17:02]  Yeah. That's the other thing we saw. And that's really an issue that keeps popping up not just with malware, but also in network traffic, that software has gotten pretty good in dealing with corrupt documents. Like, I always joke when we talk about sort of a web applications it's pretty much unknown that someone has sort of a completely standard complined (ph) HTML page. You know, they always do something weird and tricky. Here was a Word document that sort of started with a new line character. And it turns out certain versions of Word just ignore that new line character and will nicely display the document, which was malicious in this case. But some of the scanning tools, well, they say hey, this is a malicious - this is not a malicious. This is an invalid document. I don't really bother scanning it, and they may even have problems parsing the document because of these additional characters. 

Dave Bittner: [00:17:56]  Oh, that's interesting. So the the anti-malware software lacks the sophistication that the native software has to deal with a document that's out of spec. 

Johannes Ullrich: [00:18:06]  Correct. And since this also depends on the exact version of Word you're running, this is something that one user may open and nothing happens because they're using, like, an older or newer version of Word, while another user that uses that version of Word that doesn't - that is able to open the document will get infected. So this makes analysis of malware much more difficult. Also, of course, if you're running - and that's sort of how he came across this - if you're running a document in a sandbox, you often use a fairly specific version of Word that just, you know, runs well in the sandbox, that you have sort of instrumented to work well within the sandbox. If that version is not the same that your end users are running, then, of course, you may miss attacks like this. 

Dave Bittner: [00:18:50]  Right. Right. All right, well, interesting stuff as always. Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: [00:18:56]  Thanks for having me. 

Dave Bittner: [00:19:02]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexis smart speaker, too. 

Dave Bittner: [00:19:20]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:32]  The CyberWire podcast is probably produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.