Dave Bittner: The British government decides to ban Huawei. More on the malware associated with the Golden Tax software package. The Molerats appear to be behind some spyware misrepresenting itself as a secure chat app. The Phorpiex botnet is back distributing a new ransomware strain. The odd case of the Data Viper breach. Ben Yelin tracks a ruling from the D.C. circuit court on the release of electronic surveillance records. Our guest is Ann Johnson from Microsoft, discussing her note at RSA APJ, "The Rise of Digital Empathy." And SAP has a patch out. If you're a user, CISA advises you to take this one seriously.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 14, 2020.
Dave Bittner: As expected, the U.K. has now banned Huawei from participation in its 5G build-out. This policy reverses an earlier decision to permit the company some limited role in noncore sections of the coming British infrastructure.
Dave Bittner: In many respects, the decision represents an attempt at internal compromise. British telecommunications companies had worried about the cost of replacing equipment. The Guardian reports that all Huawei 5G equipment must be out of British 5G networks by 2027 and that no new 5G gear may be purchased after the end of this year. The BBC reports that Tory backbenchers remain unsatisfied - they want quicker action - but the decision represents a sharp setback for Huawei. According to Sky News, Huawei's U.K. chair, Lord Browne, has resigned.
Dave Bittner: Researchers at Trustwave's SpiderLabs have an update to its report on Golden Tax, a spyware-infested tax software intended for use by companies doing business in China. Their first reports concentrated on GoldenSpy, and now they're describing GoldenHelper, an earlier malware dropper embedded in Golden Tax. The GoldenHelper campaign ran from 2018 through January of this year. Its specific objectives remain unclear, but its behavior suggests that it was up to no good. Trustwave says its research is continuing, writing, "we have not yet identified a sample of the final GoldenHelper payload taxver.exe. We do not know its purpose, capabilities or IOCs," quote. If you've got a sample, drop them a line.
Dave Bittner: Bratislava-based security firm ESET says the Molerats, also known as the Gaza Hackers, have resurfaced with Welcome Chat, an app that represents itself as offering secure messaging. It does, indeed, deliver messaging, but security - not so much. It's a spyware carrier by design.
Dave Bittner: The app targets Arabic speakers in the Middle East. As ESET describes it, quote, "not only is Welcome Chat an espionage tool. On top of that, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store."
Dave Bittner: Welcome Chat requests that users grant an extensive list of permissions upon installation - access to SMS messages, accessing files, record audio, access contacts and access device location. Chat apps do tend to request more permissions than most other classes of applications, and so even this list might pass a user's scrutiny without raising an alarm. But in this case, the permissions do more than facilitate chat.
Dave Bittner: Designed to call back to its command-and-control server every five minutes, Welcome Chat has been observed exfiltrating sent and received SMS messages, call log history, contact lists, user photos, recorded phone calls, the GPS location of the device and device information.
Dave Bittner: Many, if not most, spyware apps of this sort are Trojanized versions of legitimate applications, but ESET thinks Welcome Chat is different - that it was designed from the outset as spyware. Usually, you can find the original, clean version of an app that's been Trojanized. ESET, however, has looked, and they can't find a clear version of Welcome Chat anywhere. Sure, sure, we know. Absence of evidence isn't evidence of absence. But on the other hand, it's reasonable to think that an innocent version of Welcome Chat would've turned up by now.
Dave Bittner: So if you're interested in security advice - and who isn't? - don't install Welcome Chat. ESET generalizes that advice. Don't install any Android app offered outside Google's Play Store. That's not an infallible marker of legitimacy and security, but it's far, far better than buying from the virtual equivalent of some guy's car trunk on the corner of Greenwood and North Avenue.
Dave Bittner: Security firm Check Point warns that the Phorpiex botnet is delivering Avaddon ransomware. Phorpiex had hitherto been best known as a distributor of sextortion emails, but it's now carrying more than an implausible threat to email your friends discreditable screenshots of you during moments of private leisure. It had also been used to distribute GandCrab ransomware, ZDNet notes. Its distribution of Avadon is accomplished with a phishing email that uses a wink emoji as its subject and carries a payload in an attached zip file. Apparently, it's working on someone, hard as that may be to imagine.
Dave Bittner: KrebsOnSecurity confirms that security start-up Data Viper, which describes itself as a threat intelligence platform designed to provide organizations, investigators and law enforcement with access to the largest collection of private hacker channels, pastes, forums and breached databases on the market, has itself been breached, possibly. The founder of Data Viper, Vinny Troia, says that the data that's been posted for sale in the dark web didn't come from his firm but rather from the original hackers who are simply interested in discrediting him. Mr. Troia does acknowledge that there was a compromise at Data Viper but says it occurred when one of his developers accidentally left his credentials exposed. He blames the hacking groups GnosticPlayers and ShinyHunters for the whole operation, and he describes their motive as personal revenge.
Dave Bittner: One bit of alleged fallout from the Data Viper affair, ZDNet reports, is what appears to be a very large trove of personal data lost in the 2019 MGM Resorts breach. The tally of affected guests had earlier been put at 10.6 million. But if those who claim to have hacked Data Viper are to be believed, that number is an order of magnitude too low. They're advertising data on more than 142 million MGM hotel guests, and they're asking just a shade over $2,900 for the whole shebang.
Dave Bittner: Ann Johnson is corporate vice president - business development, security, compliance and identity at Microsoft. She's presenting a keynote at the upcoming RSA Asia Pacific and Japan conference, with which the CyberWire is proud to be a media partner. Ann Johnson's keynote is titled "The Rise of Digital Empathy."
Ann Johnson: Digital empathy is the ability for the user to make errors and not have their work impacted. It's the way I would describe it the best. When you think about what we've gone through in the first six months of 2020 on a global scale, when we sent the largest, you know, workforce home to work remotely, and we did it very quickly, we needed users to be productive. And those users needed to have access to their tools. But we didn't want them to be stressed out about the security or the privacy or the compliance around the use of those tools. So when I talk about digital empathy in the context of cybersecurity, it's that ability to actually allow the user the room to make mistakes. But the tools are good enough that the environment and the entity, whether it's a government entity or corporate entity, will be protected even if the user does make an error - because the user is just in a very stressful environment, right? And they're trying to work. Maybe they have their children at home. Maybe they're having to procure groceries in a different manner, or they're caring for a sick family member. So it really does need to be empathetic to the end-user experience when we're thinking about building cybersecurity tools.
Dave Bittner: Can you give us some examples of some practical ways to implement this sort of approach?
Ann Johnson: Sure. The first thing I would say - and it's the thing I always say - is mandate multi-factor authentication for 100% of your users 100% of the time. This way you remove the password in its entirety - right? So you don't have to risk the user clicking on a phishing link and giving away their credentials innocently because they didn't realize the link was a phishing link. If you're requiring the use of multi-factor authentication, it makes the password near useless. Now, nothing is perfect, but that's one way to give a lot of empathy to the end user because you're saying, look. We're going to give you a tool that means if you make this common error, by the way, of clicking on a phishing link, it has much less impact to you. And it has much less impact to the enterprise.
Dave Bittner: It strikes me that, as you kind of touched on earlier, the cybersecurity industry itself - I would say, if you listed, I don't know, their top five attributes, I don't suspect empathy would make the list. Is this a bit of a culture change that needs to take place here?
Ann Johnson: It is. And the cybersecurity industry has a lot of things we - it's a maturing - right? The industry needs to mature in a lot of ways all the way from the language we use to describe things. I actually wrote a blog on that. I think it's been about a year and a half ago - through how we think about the end user and the end-user experience and how we develop tools that are easier to use but also really transparent to the end user, so they're just experiencing their work. And all of that is a part of what I said, a maturing process, of the cybersecurity industry as a whole.
Dave Bittner: That's Ann Johnson from Microsoft. The RSA Asia Pacific and Japan conference kicks off this week.
Dave Bittner: It's Patch Tuesday, and Redmond will issue its customary round of fixes later today, but SAP is already out with a significant patch. The issue, CVE-2020-6287, arises in the LM Configuration Wizard of the NetWeaver application server. Researchers at Onapsis discovered the vulnerability, which is reckoned a serious one. There's no evidence of exploitation in the wild so far, but CISA strongly recommends applying the patch as soon as possible. At least 40,000 SAP customers are thought to be at risk. Onapsis calls the bug RECON, that is Remotely Exploitable Code On NetWeaver. It opens affected SAP systems to an unauthenticated attacker who could gain full access to them. Onapsis writes, "this includes the ability to modify financial records, steal personally identifiable information from employees, customers and suppliers, corrupt data, delete or modify logs and traces and other actions that put essential business operations, cybersecurity and regulatory compliance at risk," quote. Thus, RECON represents a serious threat to data integrity, security and privacy.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hey, Ben. Great to have you back.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: Interesting article came by having to do with electronic surveillance records. And this is a finding from the U.S. Court of Appeals for D.C. Unpack it here for us, Ben. What's going on?
Ben Yelin: So the article says that the U.S. Court of Appeals for the District of Columbia Circuit ruled that a federal judge should unseal electronic surveillance records in closed investigations. So there are a lot of investigations where there's classified information on which surveillance tools were used - so whether it was pen registers, whether it was something obtained through the Stored Communications Act. And people who are interested in these types of surveillance methods want to find out, you know, after the investigation has been closed what types of methods have been used.
Ben Yelin: There's a very enterprising reporter who works for BuzzFeed News. His name is Jason Leopold. You should follow him on Twitter because he is the FOIA king. He is constantly submitting Freedom of Information Requests and uncovering fascinating information, including redacted parts of the Robert Mueller report. So I'll give a shout-out to him first and foremost.
Ben Yelin: The argument on them on behalf of the government was that producing this data would be too time-consuming and burdensome. It would be too much effort, basically, too much of an administrative burden. The decision handed down by Judge Merrick Garland - yes, that Merrick Garland - holds that a large administrative burden cannot be a valid excuse against releasing this information.
Ben Yelin: Now, he respects the administrative burden. This is going to take a lot of man hours to go through and figure out what exactly needs to be redacted and unredacted. It might take a lot of personnel. That's fine to the extent that it might delay the release of this information, but it is not in and of itself a justification to deny this Freedom of Information Act request. And the reason for that is that the public has a right to know, after these cases have been closed, what surveillance methods are being used on our fellow citizens. So I think it was a pretty ground-breaking decision from the second-highest court - in my opinion, the second-highest court in terms of importance in the United States. So a very interesting decision.
Dave Bittner: Is this likely the final word on this? Or could this go farther from here.
Ben Yelin: It's possible it could go further. The decision on the three-judge panel was unanimous. Now, the government can petition to have the entire D.C. Circuit hear the case. You know, I think it's possible, depending on how much they really want to hide information on their surveillance methods, that at least could push - could kick the can down the road a little bit. I would expect the D.C. Circuit, because the three judge panel was unanimous, to deny rehearing en banc, meaning that the whole D.C. Circuit Court of Appeals would hear the case. And if that's true, the government would have to appeal to the Supreme Court.
Ben Yelin: You know, I don't know if the Supreme Court is really interested in weighing in on this. It doesn't seem to be a split among circuits. It's a very D.C. specific issue - accessing federal records. So it's not like many other courts would or should have the opportunity to weigh in. So if I had to predict it, I do think this is probably the final word on this particular question.
Dave Bittner: I see. Yeah, I have to give a tip of the hat to Merrick Garland. He managed to, in his opinion here, include a reference to "Raiders Of The Lost Ark."
Ben Yelin: Yeah he's such a good writer. Putting in that Indiana Jones reference is just the tip of the iceberg for Merrick Garland, who has had to settle for his current position, which is still extremely powerful. But yes, major hat tip to him. And I'll mention the other two judges who were part of this decision. One of them is Larry Silberman - aren't exactly, you know, your garden-variety liberal judges. So this is a pretty broad decision ideologically.
Dave Bittner: All right. Well, interesting development. I suppose this is one of those that has long-lasting implications.
Ben Yelin: Absolutely. You know, and I think we'll see fewer government agencies try to use the excuse that there's a large administrative burden when they're seeking to deny FOIA requests. Now, there are other reasons they can invoke to deny FOIA requests. There are a lot of exceptions in the FOIA laws. But it's going to be harder to use this particular excuse after this decision was handed down.
Dave Bittner: All right. Interesting stuff. Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. A happy Bastille Day to all of our listeners in France. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.