The CyberWire Daily Podcast 7.9.20
Ep 1126 | 7.9.20

Coordinated inauthenticity with a domestic bent. Preinstalled malware in discount phones. Evilnum and the Joker continue to evolve. Incidents at FreddieMac and RMC.


Dave Bittner: Facebook takes down more coordinated inauthenticity. Preinstalled malware is found in discount phones available under the FCC's Lifeline program. The Evilnum APT continues its attacks against fintech platforms and services. Joker Android malware adapts and overcomes its way back into the Play Store. Freddie Mac discloses a third-party data breach. Johannes Ullrich from SANS on defending against evil maids with glitter. Our guest is Rohit Ghai from RSA with a preview of his keynote, "Reality Check: Cybersecurity's Story." And the Royal Military College of Canada's hack attack remains under investigation.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 9, 2020. 

Dave Bittner: Facebook yesterday took action against several networks for violations of the social media's policies against foreign interference and coordinated inauthentic behavior. The networks were based in four countries - Brazil, Canada, Ecuador, Ukraine and the U.S. 

Dave Bittner: The takedown was noteworthy for the prominence of political messaging directed at domestic audiences. The networks in Canada and Ecuador exhibited both inauthenticity and foreign interference aimed at audiences in El Salvador, Argentina, Uruguay, Venezuela, Ecuador and Chile. The messaging here had a political dimension as well but few obvious political commitments, often coming down on opposite sides in matters of electoral politics. Facebook said it was able to connect the activity to political consultants and former government employees in Ecuador and also to Estraterra, a Canadian public relations firm. They spent about $1.38 million on Facebook ads. Estraterra is no longer welcome on Facebook's platform. 

Dave Bittner: But the networks in Brazil, Ukraine and the U.S. are in some ways more interesting because they were taken down for using coordinated inauthenticity to engage domestic audiences. The activity in Brazil, Facebook said, was linked to individuals associated with the Social Liberal Party, including Jair Bolsonaro, who is, of course, Brazil's current president. This network also bought Facebook ads, but only to the chicken feed amount of $1,500. 

Dave Bittner: In Ukraine, the coordinated network was particularly active during the 2019 presidential and parliamentary elections. It posted about various issues of domestic interest, including Russia's occupation of Crimea and Ukraine's relationship with NATO. It also appeared to support some candidates. They spent about $1.93 million on Facebook and Instagram ads. 

Dave Bittner: Finally, the activity in the U.S. was connected to the already banned Proud Boys group, whose attempts to get back onto Facebook the social network was watching. In the course of that investigation, they identified a number of inauthentic accounts that The Washington Post connected to former political consigliere Roger Stone, who until his conviction for lying and witness tampering had been an adviser to President Trump. Facebook credits sealed court records in the case of the United States v. Stone, released after a petition by several news organizations, with helping it recognize the coordinated inauthenticity. This network also bought ads - more than the Brazilians but less than the others - not quite $308,000, according to Facebook. 

Dave Bittner: Researchers at security firm Malwarebytes report preinstalled malware on ANS - that is, American Network Solutions - UL40 phones running Android OS 7.1.1. The devices are among those sold by Assurance Wireless under the U.S. Federal Communications Commission's Lifeline program, which makes budget phones available to low-income consumers. This is the second time this year Malwarebytes has found preinstalled malware in discount Lifeline devices. Back in January, the company found similar issues with UMX U683CL devices produced by Unimax Communications, which Malwarebytes says officially removed all preinstalled malware from its phone in February. 

Dave Bittner: ESET has a report out on the Evilnum APT, a little-discussed group that's been active against financial technology companies since 2018 at least. The security firm's researchers say that the threat group uses a mix of internally developed and commodity attack tools. They steal financial information from trading and investment platforms. Most of Evilnum's targets have been in the EU or the U.K., with a few in both Canada and Australia. The commodity tools they use are for the most part purchased on the criminal-to-criminal market from the Golden Chickens malware-as-a-service vendor, whose other customers include FIN6 and the Cobalt Group. 

Dave Bittner: The information Evilnum has taken includes spreadsheets and documents holding customer lists, investments and trading operations, internal presentations, software licenses and credentials for trading software and platforms, cookies and browser session information, email credentials and customer credit card information, including proof of address and identity documents. The group has also been interested in information that could prove useful in subsequent attacks, like VPN configurations. 

Dave Bittner: They identify the group as an APT - that is, an advanced persistent threat - but ESET doesn't connect Evilnum with any particular government. And while it notes that Evilnum buys some of its tools from the same vendor as FIN6 and the Cobalt Group, it says it found no other connections among those threat actors. 

Dave Bittner: Security firm Check Point today outlined a new variant of Joker Android malware hiding inside apparently legitimate apps, some of which circulate in the Play store. Forbes summarizes the findings as more evidence of Joker's dangerous sophistication. It hides itself in the manifest file of infected apps, which Check Point explained is the file every Android app must have, where the developer declares permissions needed, usage of servers and so on. The actor pushed encoded malicious payload into metadata fields in that file, only to be decoded and loaded when on a victim's device. That way, no configuration or payload needs to be pulled from the Internet. Google has ejected the malicious apps from the Play store, but the Joker operators are adaptive, and once they are detected, they return. 

Dave Bittner: Continuing our media partnership with RSA and their upcoming Asia-Pacific and Japan conference, our guest today is RSA president, Rohit Ghai, with a preview of his conference keynote "Reality Check: Cybersecurity's Story." 

Rohit Ghai: The theme for the RSA conference this year is the human element, and I reflected on what it is that makes us human. You know, I think the unique trait that humans have is that we are a storytelling species, and as such, I reflected on what the story of the cybersecurity industry is and what impact it has in terms of the future of the industry. So that's sort of the thought process that led me to taking a storytelling perspective to the industry and the domain of cybersecurity. 

Dave Bittner: Can you give us a little bit of a preview of some of the things you're planning to talk about? 

Rohit Ghai: Absolutely. You know, the framing of the overall talk - the story arc, if you will, to use that word - is I talk about - you know, I set it up first in terms of human element being a key theme for cybersecurity and why the human element is important. And the net of it is that while we obsess so much about the technology infrastructure that we are looking to protect in the cyberworld, intrinsically this is a very human challenge. What we protect at the end of the day is the trust that we as humans have on technology and data. That's, at the end of the day, what our mission is. So I think just framing the mission from a humanistic lens is the first thing that I hit on. 

Rohit Ghai: Next, what I - you know, the overall story arc comprises of three episodes, if you will. I talk about the story we had in the industry, the story we have in terms of how we tell our story today, and then I close out with saying the story we want in terms of how we should tell our story because the way - in my view, the way you change the future or change the world is to tell the story that you want. You have to first tell the story. The story comes first and the future next. 

Dave Bittner: You know, it strikes me that many of us got together for the RSA Conference in San Francisco earlier this year, and - for, I imagine, most of us - that was the last big get-together that many of us had; that was the last opportunity for the industry to really get together, and so much has changed in just the few months since then. I imagine that that must have played into your thoughts here as you were putting this presentation together. 

Rohit Ghai: Absolutely, indeed. It was top of mind, and, you know, the way I weaved it into the story is like a plot twist, right? Every great story has a plot twist, and, boy, did we have a plot twist in the last few months. Who would have thought that, you know, right on the heels of the San Francisco edition of the conference, we would all be sort of quarantined, sheltered in place and kind of the world going through what it's gone through. What I've reflected on in my talk is some key learnings. Like, what have we learned through this global pandemic that we've all been living through? And I've tried to draw inspiration, you know, in terms of those learnings into the field of cybersecurity. So that's sort of the overall flow of the talk that I intend to give. 

Dave Bittner: That's RSA president Rohit Ghai. The RSA Asia-Pacific and Japan conference kicks off July 15. 

Dave Bittner: FreddieMac, the U.S. Federal Home Loan Mortgage Corporation, has disclosed a data breach. It's apparently a third-party incident. Borrowers whose loans were serviced by one of FreddieMac's due diligence vendors have received letters warning them of the breach. 

Dave Bittner: And Canada's Department of National Defense is continuing its investigation of last week's hacking incident at RMC, the Royal Military College of Canada - the Kingston, Ontario college that's the equivalent of the U.S. Military Academy at West Point or Britain's Royal Military College at Sandhurst. The Department of National Defense has said all early indications suggest this incident resulted from a mass phishing campaign. 

Dave Bittner: The Financial Post cites sources at the college as saying it was a ransomware attack. Emsisoft told the Financial Post that, assuming it was ransomware, the gangs responsible were probably either DoppelPaymer or NetWalker, both of which steal data before they encrypt drives and submit their ransom demand. NetWalker tends to add its victims to its public list and then remove them once they begin negotiating payment, whereas DoppelPaymer's style is not to disclose its victims until they refuse payment. Given that RMC hasn't shown up on anyone's list of victims yet, they're betting it's DoppelPaymer. 

Dave Bittner: The Department of National Defense said that certain systems of the Canadian Defense Academy, the umbrella organization for Canadian military education, were also affected, but the locus of the attack was RMC, whose networks have remained offline as a precaution. No classified information, the department says, is at risk. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the ISC StormCast Podcast. Johannes, it's always great to have you back. You know, we've heard a little bit about these evil maid attacks in the context of the Thunderspy vulnerability. You've got an interesting angle to this. Can you unpack what's going on here? 

Johannes Ullrich: Yeah. So Thunderspy was a fairly technical, difficult-to-pull-off vulnerability, where you essentially have to open up a laptop, you attach a little device to it to flash the thunderbolt firmware on the motherboard. But the effect is quite devastating if an attacker is able to do that because they essentially sort of destroy the trust that your system has in its hardware. 

Johannes Ullrich: These attacks are often sort of called evil maid attacks, and the reason they're called evil maid attacks - well, back in the old days, when we were able to travel, we stayed at hotels and, of course, sometimes had to leave our laptops in a hotel safe that we all know is not all that great. And an evil maid that comes not to clean the room but to clean all of our secrets off our laptop may be able to have enough time in the room with the laptop to pull off an attack like this. So the difficult part here is it's really hard to prevent this attack other than carrying your laptop with you at all times, which, of course, is difficult and really inconvenient. 

Dave Bittner: (Laughter). 

Johannes Ullrich: So another approach is really to think about how to detect these attacks. 

Dave Bittner: All right. So what do you propose here? 

Johannes Ullrich: Well, one simple trick that I've read about myself many years ago and forgot actually where I picked it up, but is - you can buy this glitter nail polish, or, you know, maybe you have a significant other that uses glitter nail polish, and then you just put a little dab of glitter nail polish on the screws. The attacker has to remove the screws from the laptop. And by putting this glitter nail polish on the laptop, on the screws, well, if they open it, they will break that seal, so to speak. And it's really difficult, of course, even if they happen to have the same brand nail polish, to get it back just the right way. So you would take a picture of these screws after you apply the nail polish. 

Johannes Ullrich: I also recommend covering it up a little bit. Not necessarily to hide it, but to prevent it from being damaged accidentally. You know, many of us have, like, little cases or something we put on our laptops to protect them better; they may also work here. But just put a little piece of paper on it, maybe some tape, to prevent accidental damage here. 

Dave Bittner: I could imagine also that if someone were going to break into your laptop and they flipped it over and they saw glitter on the screws, they might think twice about it because the possibility of them being discovered. 

Johannes Ullrich: Correct. And that may also discourage them. On the same note, hotel safes are known to be not secure. I prefer, like, a little backpack with sort of a Pelican case attached to it where I can put my own padlock on it. Again, this is not perfect. They can just cut the plastic. They can still steal the laptop. 

Dave Bittner: Yeah. 

Johannes Ullrich: That's not your worry. You're worried about them modifying the laptop without you knowing. So it is really more about adding sort of some tamper evidence than tamper-proof or theft-proofing the laptop. 

Dave Bittner: Yeah, I always wonder with these sorts of things. It strikes me that if you are someone whose risk profile includes this sort of evil maid attack, I suspect you would probably know it and have these sorts of protections put in place, or you'd be the person who wouldn't leave a laptop behind if this was something that you knew you were perhaps going to fall victim to. 

Johannes Ullrich: Correct. That's definitely the case here. And I've seen companies that, for high-risk individuals, have, like, X-ray machines where they periodically X-ray laptops to make sure they haven't been tampered with sort of on a circuit board level. What I always recommend is have two laptops - one for the company secrets that you leave in hotel, one with your personal secrets that you keep with you - so that way nothing important gets stolen. 

Dave Bittner: That's a heavy backpack, Johannes. That's a heavy backpack (laughter). 

Johannes Ullrich: Yeah (laughter). TSA loves me. 

Dave Bittner: Yeah, that's right. That's right. All right, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.