Berserk Bear is back, and still loves that critical infrastructure honey. COVID-19 apps: good, bad, and bogus. Android issues discovered. A FIN7 arrest. Mr. Faraday’s underwear.

Dave Bittner: [00:00:04] Berserk Bear is back and snuffling around Germany's infrastructure. Two new Android issues surface. India opens up the source code for its COVID-19 contact-tracing app, as such technological adjuncts to public health continue to arouse privacy concerns. [F]Unicorn poses as Italy's Immuni app. An alleged Fin7 gangster is arrested. Australia's Data61 urges companies not to scrimp on R&D. Joe Carrigan on Android mobile malware getting new features. Our guest is Fredrick "Flee" Lee from Gusto on CCPA. And does your underwear come with a Faraday cage? And we thought it might. 

Dave Bittner: [00:00:48]  And now a word from our sponsor the University of San Diego. Cybersecurity newsflash - in addition to gumming up the works with malware, phishing expeditions and DNS attacks, the black hat hackers of the world are also creating jobs. Let me explain. Cybercrime is causing so many headaches and financial losses for many CEOs that companies everywhere are paying top dollar for cybersecurity talent. By some estimates, the financial damage caused by the global cybercrime epidemic each year is about to hit $6 trillion. That's why employers across all industries are paying six-figure salaries for cybersecurity pros with the right experience and training. University of San Diego and its online cybersecurity engineering master's degree program are doing a lot of reporting on this. They also offer an outstanding online training program if you're interested in sharpening your skills to advance your career or to transition into cybersecurity. Connect with a team at sandiego.edu/cyberwire. Mention this podcast, and they'll waive the fee to apply. That's sandiego.edu/cyberwire. And we thank the University of San Diego for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:31]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 27, 2020. 

Dave Bittner: [00:02:40]  CyberScoop reports that German intelligence services have circulated an advisory warning that the Russian government threat group Berserk Bear is actively working against German industrial operations in the energy and water sectors. Berserk Bear was last mentioned in dispatches during 2018, when the US government warned that Russian actors had been engaged in some preliminary reconnaissance of US infrastructure. Tagesschau identifies the German intelligence services as the Federal Intelligence Service, BND, the Federal Office for the Protection of the Constitution, BfV, and the Federal Office for Information Security, BSI. The warning doesn't directly name the Russian government, but it prominently links as evidence to US documents that do just that, so the intended attribution isn't seriously in question. 

Dave Bittner: [00:03:32]  Two Android issues have surfaced. F-Secure warns that default configuration specific to regions also create region-specific security problems for flagship Android devices. It's easy to assume that handsets with the same branding will be roughly interchangeable with respect to security, but that assumption, F-Secure says, is unwarranted - quote, "customization done by third-party vendors, such as Samsung, Huawei and Xiaomi, can leave these devices with significantly poor security dependent on what region a device is set up in or the SIM card inside of it," end quote. 

Dave Bittner: [00:04:10]  The other Android issue is a vulnerability called Strandhogg 2.0 by researchers at Promon who described it. TechCrunch reports that Strandhogg 2.0 could be exploited by password-harvesting malware masquerading as legitimate apps. It doesn't appear to be exploited in the wild, at least for now, but the researchers warn that exploitation might be unusually difficult to detect. 

Dave Bittner: [00:04:36]  India's government has announced that it's making the source code of its Aarogya Setu contact-tracing app available for inspection and testing, a decision that Reuters says is generally being well-received by digital rights activists as likely to increase the system's security. 

Dave Bittner: [00:04:54]  Privacy concerns continue to surround the contact-tracing technology being trialed by Britain's NHSX. Fear that the app will outlive the pandemic and become a permanent part of a national surveillance system are now familiar, and the war rhetoric that C4ISRNET sees surrounding national responses to the pandemic have probably helped provoke that sort of backlash in public opinion. Computer Weekly reports that centralized data collection has also aroused worry that contact-tracing databases will themselves prove to be insecure and that if breached they would provide cybercriminals with resources for identity theft and other capers. 

Dave Bittner: [00:05:34]  According to BleepingComputer, an archly named ransomware strain, [F]Unicorn, is being distributed by social engineering come-ons that inveigle users in Italy to download the malware in the belief that it's a contact-tracing app developed by the Italian Pharmacist Federation. Trend Micro says the ransomware poses as a beta release of the Italian government's Immuni COVID-19 app. One might ask, given the difficulty that legitimate contact-tracing apps have in finding enough willing users to make them effective, why criminals would think this particular social engineering approach likely to succeed. The answer, of course, is that public health organizations need at least half the population to sign up for contact tracing, but the criminals only need a few marks to make it worth their while. As is so often the case, the secret to the criminals' success is volume. 

Dave Bittner: [00:06:28]  Score one for the Feds. US authorities, according to court documents unsealed late last week, have taken a leading member of the Fin7 gang - an alleged leading member of the gang, we must note. Denys Iarmak was extradited from Thailand and is now in US custody. Fin7 is regarded as an unusually sophisticated and effective gang, VICE reports, and is thought to have taken in at least a billion dollars from its victims, which include businesses in the retail and hospitality sectors. 

Dave Bittner: [00:06:59]  Fredrick Lee is chief security officer at Gusto, a financial services and payroll company. His friends call him Flee, which I assume came about from an abbreviation of his name in an email address. At any rate, Flee is nothing if not outspoken, and he joins us with opinions on CCPA, the California Consumer Privacy Act. 

Fredrick Lee: [00:07:20]  So, you know, for those that aren't aware, CCPA is the California Consumer Privacy Act that went into effect earlier this year here in 2020, with the idea being to help reestablish privacy and data ownership controls for consumers, to help give businesses some better guidelines, but ultimately, also some regulations and enforcements to go along with that to set the stage for proper behavior when it comes to dealing with civilians' data. At a high level, you know, that is a great idea. Part of my concern, though, is how that has actually been implemented and if it's actually going far enough. 

Fredrick Lee: [00:07:58]  So, you know, one of the great things about CCPA is, yes, it truly is giving some real enforcement mechanisms and some real incentives for companies to actually start doing better when it comes to data, you know, and data mining, et cetera, selling of data for - you know, consumer data. So for example, a company that you may have signed up with, either maybe do some online shopping or maybe even just a newsletter from, they now have stronger guidelines for what they can actually do with that data. In the past, some companies have used that data to just sell it and you didn't know anything about it. But now you as a consumer have a right to know how your data is being used, if it is being sold. And you also now have a right here in California to ask for that data to be destroyed. So you have a lot more control over your own data, and that's ultimately a good thing. We want more and more companies to really be proactive and really aware that there's a human behind that data and that it's not just - you know, not just bits but there's a physical person there, and that physical person has desires and rights and about how they actually want their data to be treated. And that's actually one of the things I think is good about CCPA. 

Fredrick Lee: [00:09:10]  One of the things that I am somewhat cautious of when it comes to CCPA is, obviously, does it go far enough? And even more so, does it kind of, in a backwards way, give companies an out? What regards (ph) actually does CCPA go far enough? Right now, it's hyperfocused on, really, this idea of actually selling data and, you know, your right to know and what companies can and can't do. And there are actual teeth behind it. So, you know, there are fines associated with companies that actually violate CCPA. But we also know that there are companies that, you know, for better or worse, are actually big enough that they can actually weather those fines. And that's, I think, one of the shortcomings. Are there enough teeth behind CCPA? And I think it's actually part of the thing that we need to really push on for. 

Fredrick Lee: [00:09:54]  When we actually see legislation such as CCPA, we have to make sure that we as an industry not just adhere to that but actually go way, way, way, way beyond it. Like, CCPA should kind of be almost like the bare minimum that a company should do. And, unfortunately, some companies do view it that way. Like, hey, this is the bare minimum, and as long as we actually do that, we're fine. But I want to see us as an industry push even further, start implementing, you know, these ideals of what it means to be a good data custodian. Like, we have people inside of a company that advocate on behalf of consumers and their privacy, having things like a privacy counsel inside of your company that can actually kind of really sit down and think about what are the implications of us rolling out this feature? How does that impact an end consumer's privacy? 

Dave Bittner: [00:10:42]  That's Fredrick Lee, Flee, from Gusto. 

Dave Bittner: [00:10:46]  The Commonwealth Scientific and Industrial Research Organisation's Data61 unit, Australia's data science research institution, advises companies not to squeeze R&D budgets in the course of COVID-19 belt-tightening, the Financial Review reports. Jon Whittle, currently dean of the Faculty of Information Technology at Monash University, will assume the directorship of Data61 in July. He urges companies to maintain their commitment to research, that innovation would pay off once the pandemic passes. 

Dave Bittner: [00:11:20]  And, finally, have you been able to swaddle yourself in a Faraday cage yet? All the right people are doing it. No, seriously. Now available on Amazon, if you're interested, are products that claim to protect the user from the malign effects of 5G signals. The Telegraph reports that the offerings include underwear, stickers, blankets, pills and so on. Not only do none of these things offer protection, but the protection itself would be protection against a perceived threat that's, well, no threat at all. 

Dave Bittner: [00:11:52]  So why are people all of a sudden so worried about the electromagnetic fields associated with 5G technology? Well, it's a perennial bit of hypersuspicious hooey that's achieved new currency with bogus conspiracy theories that link the COVID-19 virus to 5G signals. 

Dave Bittner: [00:12:10]  We looked at Amazon, and, indeed, the stuff is up for sale - anti-EMF radiation-reducing underwear - protection from cellphones, wireless, Bluetooth and 5G radiation and EMF - EMF-shielding black sports bra, which features moisture-wicking properties for 5G, EMF protection hat hood with antiradiation fabric, EMF protection and RF shielding, and the anti-EMF stickers. These come in 10-packs, and it's not clear whether the stickers themselves afford protection or simply warn people of the dangers. EMF, of course, is electromagnetic field. 

Dave Bittner: [00:12:46]  The US Federal Trade Commission says there's no scientific proof that so-called shields significantly reduce exposure from these electromagnetic emissions. This is the tinfoil hat for the 21st century, and we have to say the garments are a lot more stylish than the old DIY hats used to be - you know, the kind you wore back in the day to keep the government from X-raying you through the ceiling. Perhaps I've said too much. 

Dave Bittner: [00:13:16]  Hey, everybody. Dave here. As you know, we've been fortunate to have built a pretty influential audience over the years. Security leaders across the globe trust us and depend on us every day to deliver the news and analysis they need to do their jobs. And that's also why so many top security companies and hot startups trust us to connect them to the decision-makers and influencers to help get the word out about their brand and fill their sales funnels. We've got lots of great sponsorship opportunities that can help you get the word out, too. Just visit thecyberwire.com/sponsorship to learn more and connect with us. That's thecyberwire.com/sponsorship. 

Dave Bittner: [00:14:03]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, and also my co-host over on the "Hacking Humans" podcast. Joe, always great to have you back. 

Joe Carrigan: [00:14:12]  Hi, Dave. 

Dave Bittner: [00:14:14]  Got an interesting story came by. This is from the BankInfoSecurity website, and it's their Botnet Watch. And they're talking about the Anubis mobile malware getting some new features. What's going on here, Joe? 

Joe Carrigan: [00:14:26]  Yeah, this is interesting. So Anubis is a banking Trojan that tries to collect your banking credentials, and it's pretty richly featured, actually. It's got a very good command and control system. And, of course, then it has a client that gets installed on Android devices, and there are lots of ways they try to get you to install this. Surprisingly, one of the big ways - and this is kind of a thorn in the side of Google, this article says - that these guys try to embed Anubis, the Trojan part, into what looks like a legitimate app in the app store - in the Google Play Store, and Google has to go through and find these things. They obfuscate the code so that it's harder for Google to find it. So there's a chance that it could be in the Google Play Store. And Google's always, of course, looking for it. But then they also use third-party app stores and maybe even try to get you to install it via a phishing campaign. 

Joe Carrigan: [00:15:23]  But there are some interesting features that already are included with this, and one of them was - Trend Micro noticed this last year - that if Anubis malware - if the Anubis malware sees that there's no data coming from the accelerometer, the motion sensor, then the device is probably a sandbox device, right? You know, like, if I build an emulator on my computer that emulates an Android device and this software's running on it, it will check the accelerometer for accelerometer data. And if there's no data coming from it, it says, I'm not running, nope, not going to do it, because it knows that it's in a sandbox and being observed. Now, there's a simple workaround for that. You can probably generate - you know, record and play back some accelerometer data that will fool the malware. But you have to take that step or the malware will never run and you can't do what's called dynamic analysis, which is... 

Dave Bittner: [00:16:14]  Right. 

Joe Carrigan: [00:16:14]  ...Where you do the analysis on the software as it's running. And because it's obfuscated, a lot of times static analysis, which is where you do the analysis on the software just as it's written, is very difficult. 

Joe Carrigan: [00:16:26]  But one of the new features that they're saying in this article - and it's not out yet, but it's probably coming soon - is a feature that lets the malware operator know or the malware know when the user is looking at the device. Now, this is actually a feature that's included in a lot of phones so that the screen doesn't go blank, right? So the camera actually watches your face and sees that your eyes are looking at the phone. And if the camera sees that your eyes are looking at the phone, the phone will not shut the screen off. And this is a user feature, but here it is being exploited by malicious actors. So now if I'm a bad guy and I write some software and I'm going to execute something on that software that I know is going to put something on the user interface that the user might see, I wait for the user to not be looking at the phone before I run it. 

Dave Bittner: [00:17:13]  Right. 

Joe Carrigan: [00:17:14]  Right? 

Dave Bittner: [00:17:14]  Right. 

Joe Carrigan: [00:17:15]  And then... 

Dave Bittner: [00:17:15]  Right. 

Joe Carrigan: [00:17:16]  ...I can do it and I know the user didn't see it because they weren't looking at the phone because the phone tells me when the user's looking at it. So here's another feature being exploited for a malicious purpose. 

Dave Bittner: [00:17:27]  Yeah. I'm waiting for the feature when it can, you know, do an electronic equivalent of throwing your voice, you know, so it gets you to look the other way. 

Joe Carrigan: [00:17:35]  Right. 

0:17:35:(LAUGHTER) 

Dave Bittner: [00:17:37]  Look over here, right? Some sort of, you know, audio acoustic illusion so it has you - it sounds like it's dropping, you know, a fork or something behind you, and so you look the other way, and then it does whatever it needs to do on the screen while you're looking away, I suppose. I don't know. I can imagine that being a coming feature. Yeah, yeah. 

Joe Carrigan: [00:17:55]  But if it's behind you... 

Dave Bittner: [00:17:57]  Right, right. Look out (laughter). Right, right. But how interesting that these features, I guess, that are available to any developer and a good thing, a valuable feature, but the bad guys can use them as well. 

Joe Carrigan: [00:18:12]  Absolutely. That's correct, a hundred percent correct. Anything - like I frequently say, I can use a hammer to build a house, or I can use a hammer to take a wall out maliciously, you know? It's a tool. 

Dave Bittner: [00:18:23]  Do we have any sense for who's behind Anubis? 

Joe Carrigan: [00:18:26]  There is - this article talks about rumors about a developer calling himself Maza-In, but the code has been released in an unobfuscated form, so there are multiple people probably out there developing it right now. Once you get the unobfuscated form, it's very easy to reverse engineer it back to code, and then you can start just maintaining it on your own. So we don't really know who's behind it. The rumor was that Maza-In was arrested by the Russians - Russian authorities. I don't know if that's true or not. I have no idea. But the code is still out there, and it is being developed, and it's probably being developed by multiple parties. 

Dave Bittner: [00:19:06]  Yeah, yeah. All right, so be aware of that one. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:10]  It's my pleasure, Dave. 

Dave Bittner: [00:19:16]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:34]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:46]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.