The CyberWire Daily Podcast 7.1.20
Ep 1121 | 7.1.20

EvilQuest ransomware identified. Out-of-band patches. The scope of Chinese surveillance of Uighurs. Hong Kong and the National Security Law. FCC finds against Huawei, ZTE.


Dave Bittner: EvilQuest ransomware has been found in pirated versions of the Little Snitch app. Out-of-band patches from Microsoft and Oracle. Extensive Chinese surveillance of Uighurs has been described. Hong Kong and the world react to China's new National Security Law. The U.S. FCC finds both Huawei and ZTE are threats to national security. Joe Carrigan on password stealers that target gaming. Our guest is Kiersten Todt from the Cyber Readiness Institute on how COVID-19 has changed small business security and what to expect going forward. And Britain rethinks its position on Huawei and 5G infrastructure.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 1, 2020. 

Dave Bittner: Researchers at Malwarebytes have discovered a strain of ransomware, EvilQuest, that's afflicting Mac systems through a malicious version of the legitimate Little Snitch software. They first found EvilQuest in a pirated copy of Little Snitch that was being hawked, with torrent links, on a Russian-language forum. The malicious version has a package installer file, which, of course, the legitimate app doesn't. Help Net Security, which has been talking to researchers at Jamf, note that the absence of some of the usual instructions on how to pay the ransom suggests that EvilQuest might actually amount to a smokescreen for some other activity. It's a developing story, but for now it's safest to take EvilQuest at its word - consider it ransomware, and as Malwarebytes advises, keep a good offline backup of your files. 

Dave Bittner: Microsoft issued two out-of-band patches yesterday to address remote code execution vulnerabilities in Windows 10 and Windows Server 2019, ZDNet reports. Redmond wasn't the only place vendors got busy with quick patches. Mozilla released Firefox 78 yesterday, but then stopped the rollout when it was discovered that the new version came with several search issues. BleepingComputer says Mozilla made a fix available this morning. 

Dave Bittner: Turning to the rest of the cybersecurity news, which today is dominated by news about China. Chinese government surveillance of its predominantly Muslim Uighur minority was apparently both more extensive and began earlier than generally appreciated, The New York Times reports. Researchers at the San Francisco-based security firm Lookout today published the results of their study of the campaign, and they've determined that the intrusive monitoring began at least in 2013 and wasn't confined to domestic targets but extended to the Uighur diaspora worldwide. 

Dave Bittner: Lookout determined that installation of various forms of spyware in Android phones used by the targets was the beginning of a comprehensive surveillance effort that eventually extended to collecting blood samples, voice prints, facial scans and other personal data. They found connections among eight strains of malware they investigated. The campaign was, of course, concentrated in the western region of Xinjiang, where most Uighurs live. The New York Times observes, without apparent irony, that the measures transformed the region into a virtual police state. But it was unrelenting in its pursuit of Uighurs who went abroad, either permanently or temporarily. As many as 14 other countries may have been affected. 

Dave Bittner: The malware was tied to Uighur-language keyboards and, for the most part, consisted of Trojanized versions of otherwise legitimate apps, likely to be attractive to Uighur users. Authorities eventually took steps to ensure that the targets of their surveillance kept their infected phones. Having a second phone, using an outmoded and thus presumably uninfected phone, dumping a phone for no good reason or not having a phone at all could get you confined to a detention camp. 

Dave Bittner: Campaign has been run by the Chinese threat group variously known as Vixen Panda, APT15, Ke3chang, Mirage or Playful Dragon. They paid some attention to Tibetan, but their central focus was always on the Uighurs. 

Dave Bittner: Lookout acknowledges the theoretical possibility that the surveillance campaign was actually the work of patriotic hacktivists acting in the spirit of Beijing, although not actually under immediate government direction. But come on, they conclude, that theoretical possibility is pretty unlikely. 

Dave Bittner: Beijing's new National Security Law, enacted principally, although not exclusively, with Hong Kong in mind, has moved residents of the formerly semiautonomous city to begin doing whatever they can to reduce their online traces before full enforcement is complete, according to the Nikkei Asian Review. While justified in terms of restoring stability and prosperity to Hong Kong, the new law has a global reach. Quartz claims that it criminalizes any criticism of the Chinese Communist Party anywhere by anyone, Chinese or foreign national. 

Dave Bittner: POLITICO says the European Union has begun considering a coordinated response to the new law. The UK has decided to take a direct and immediate step to help Hong Kongers caught by what London calls a clear violation of the agreement under which Hong Kong was returned to Chinese sovereignty 23 years ago today. The South China Morning Post has confirmed that more than 3 million citizens of Hong Kong will be offered British national passports. The passports would give the holders the right to settle in the UK for five years, at which point they would receive settled status and be able to apply for citizenship. 

Dave Bittner: One of the lasting effects of the COVID-19 global pandemic is an ongoing sense of uncertainty. No one is immune, and it's made planning particularly challenging for small businesses. Kiersten Todt is managing director of the Cyber Readiness Institute, and she shares her insights on how COVID-19 has changed small business security. 

Kiersten Todt: The Cyber Readiness Institute was founded in 2017. In 2016, I served as executive director of President Obama's Commission on Enhancing National Cybersecurity. And toward the end of that commission, several of the commissioners and I got together to talk through how to continue the efforts by focusing on issues that we still feel and felt needed to have more resources and time focused on them and, specifically, small-business cybersecurity. 

Dave Bittner: As you look toward the future, what sort of environment do you suppose we're going to find ourselves in? Do you - are you hopeful that we're going to do a better job with this as we move forward? 

Kiersten Todt: I think - it's a very interesting question because we've been very focused on how to address the pandemic world and the remote workforce - all of these issues that are surrounding it. And when we've talked about going to the new normal, we've often talked a lot about, you know, what it means to take the lessons of this - these last two months. But I think as we're listening to how companies are starting to think about moving back to the new normal, which is really moving forward to the new normal, we know that - especially in 2020 - very few companies will be bringing their whole workforce back into the office. I think, you know, I'll be surprised, truly, if any large company does. Already, we've heard from the tech companies. Larger companies are talking about the fall, bringing back 25% of the workforce. 

Kiersten Todt: So to me, what that means is that the new normal, the new moving forward, is going to be a hybrid of both a remote workforce and bringing back to the physical workspace. And that in itself comes with new challenges because, while securing an entirely remote workforce is difficult, there is a consistency about that. But if you're split between physical infrastructure and everyone's remote home work infrastructure and there's a balance and there's a rotation, there is a lot of opportunity for inconsistencies. And so I think the thing we need to be thinking about from a cybersecurity perspective is how to secure the hybrid workforce as we look into the future. 

Dave Bittner: So for the folks who are professionals in the cybersecurity realm, what can they do? How do they help spread the word about the types of efforts that you're undertaking here? 

Kiersten Todt: So one of the things that we offer - all of our tools, as I mentioned earlier, are free. And so if you go onto our website - which is - you can register for the program, but you also have access to the documents. We've been in touch with a lot of global organizations - the United Nations, the World Economic Forum, the Universal Postal Union and others - and we're just encouraging them to send our content to their stakeholders. Again, our objective is not to require small businesses to buy anything, but to truly invest in the workforce because, at the end of the day, cybersecurity is grounded in human behavior. Human behavior can be a force multiplier for security, or it can be one of the most dangerous vulnerabilities in an organization. 

Dave Bittner: That's Kiersten Todt from the Cyber Readiness Institute. 

Dave Bittner: The US Federal Communications Commission has formally designated both Huawei and ZTE as threats to the U.S. national security. The FCC decision will, as Reuters and others point out, prevent US carriers from using money from the Universal Service Fund, which controls $8.2 billion, to purchase equipment from either company. The FCC also said that Congress would need to appropriate funds to compensate companies who now will have to rip and replace gear from the two Chinese manufacturers. Rural telecom carriers are most affected by the decision. 

Dave Bittner: And US sanctions in general are changing the cost-benefit calculations of prospective Huawei users in other countries as well. The BBC reports that the British government is rethinking its own mildly restrictive, mildly permissive approach to allowing Chinese companies to participate in the UK's 5G infrastructure. The US sanctions that forbid Huawei and its third-party suppliers from using US technology and software to manufacture their goods are well designed to pressure countries that use Huawei kit to revise their permissions. 

Dave Bittner: British Defense Secretary Ben Wallace called the US measures, which come into full effect in September, a better set of sanctions than the earlier sent; they're, specifically, clearly, designed in a smarter way to put countries that have high-risk vendors - specifically Huawei - under greater pressure. In any case, the U.K. and other countries are taking a noticeably harder line toward Huawei in particular. British authorities see the current situation in which the alternatives to the Chinese vendor are Ericsson and Nokia as a market failure. They're supporting the entry of Samsung and NEC into the market to diversify the supply chain. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: During this time of pandemic, when folks are spending a lot more time at home, that means that for a lot of people, they're spending a lot more time online playing games. Now, you're a bit of a gamer, aren't you, Joe? 

Joe Carrigan: Yes. I've been playing a lot of "Fortnite," Dave. 

Dave Bittner: (Laughter) OK. We had a... 

Joe Carrigan: And a little bit of "PUBG," but mostly "Fortnite." 

Dave Bittner: All right, well, I suspect you're not alone there. We had an interesting article come by. This is reporting that Kaspersky has been reviewing some password-stealers that's targeting gamers. 

Joe Carrigan: Yeah. 

Dave Bittner: What's going on here, Joe? 

Joe Carrigan: What's happening is they're somehow getting these Trojans - these malicious actors are getting these Trojans onto users' machines, and then they're targeting these gaming platforms like, Origin and Uplay in attempts of stealing session cookies or session tokens - not really cookies because it's not a web browser. But if I can steal someone's session token, that doesn't give me their username and password, but it does let me essentially connect as them. And then I can transfer valuable in-game items out to myself if the platform allows that. This was a problem years ago with "World of Warcraft." Do you remember - did you ever play "World of Warcraft"? 

Dave Bittner: I did not, but I'm certainly - know of the game. 

Joe Carrigan: Right. I was never a big player of that game. Actually, I never did play it. I didn't care for it. But the idea was, you would collect all this - all these amazing items. But if someone got into your account, they could just transfer those items to themselves and then sell them for money later. And there was an entire black market around that. There may still be. I don't know. I don't know if people still play the game. But some of these Trojans actually don't just go after your gaming data. Some of them will sit there silently and wait until you start connecting to certain websites. And when you visit that website, the malware will activate and start gathering data, essentially just being a keylogger on these - on the website so they can collect your username and password information. 

Dave Bittner: And they note also that they may be going after credit card information as well. 

Joe Carrigan: Oh, yeah. They're going after credit card and banking information with these Trojans. I don't know how much at risk you are for credit card losses here. I mean, I think that's probably a minimal risk to the user, unless you have a debit card. That can be a little bit more devastating. But if you can get a credit card, I recommend using a credit card for any online transactions Because that's not your money, and if you file a purchase as being fraudulent, then you're not out any anything. Whereas... 

Dave Bittner: Yeah. 

Joe Carrigan: ...With a debit card, you can be out up to 50 bucks, and it may take some time for you to get your money back. 

Dave Bittner: Yeah. What are they recommending here in terms of protecting yourself if you're a gamer? 

Joe Carrigan: Well, there is one thing that you should always do, and that is set up two-factor authentication, right? Even if your login - your username and password have been stolen, they will not be able to access your account if you have two-factor authentication on. And we talk about that frequently, what the various forms of two-factor authentication are. But any form of two-factor authentication is a lot better than no two-factor authentication. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: It's - just do it. It's great. Only download gaming modifications from trusted sources. Apparently that's where some of these are coming from, these mods. You can get mods everywhere. I know that Steam actually will publish mods for their games. You can actually write a mod for a game and then publish it on Steam, and then Steam vets it. And then you can download it. We actually did this. My daughter's fiance did this with a "Civ" mod that just made the game completely non-competitive. But it was his experimentation with a mod. And it was available on Steam, and we could download it. 

Dave Bittner: (Laughter) Reminds me of the fast-shoot version of "Galaga." 

Joe Carrigan: Right. Yes. 


Dave Bittner: My favorite mod. 

Joe Carrigan: That's - that was a great mod. I remember that one. 

Dave Bittner: Old school (laughter). 

Joe Carrigan: It was just - yeah. You would just wipe everything out in a couple of seconds. 

Dave Bittner: Yeah. Yeah. 

Joe Carrigan: They say use a reliable security solution. Of course, because this is from Kaspersky, they say Kaspersky Security Cloud is a great solution. But there are... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Tons of other security solutions out there. 

Dave Bittner: Right. 

Joe Carrigan: And I'm not saying that you shouldn't use Kaspersky. But, you know, just understand this is a Kaspersky article. 

Dave Bittner: Yeah. 

Joe Carrigan: But there are lots of services out there. And some - one of the things they note here is that their product has a gaming mode because a lot of times, games will do things. Like, particularly when they're using their anti-cheat software, they'll do things that look malicious. So your antivirus software may flag it as malicious and may stop it from happening, but Kaspersky says, don't turn it off. Don't turn off the security when you're playing a game. Their product has a gaming mode that reduces CPU load. So if you're playing on a PC, you may be playing where every process or operation counts, right? And... 

Dave Bittner: Right. Right. Right. 

Joe Carrigan: So turning off that antivirus may seem like an attractive idea, but don't do it. Use an antivirus that has a gaming mode that just reduces the load. The advantage is you're not really doing much else other than playing a game at the time, so there's not a lot of... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Lot of stuff going on. 

Dave Bittner: Yeah. All right, well, good advice. If you're someone out there who's spending some more time gaming during all this to help you get through it, some words of warning here to make sure that you're not being targeted. 

Joe Carrigan: Absolutely. 

Dave Bittner: All right, well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.