The CyberWire Daily Podcast 10.25.22
Ep 1690 | 10.25.22

US Department of Justice unseals three indictments in PRC spying cases. CERT-UA warns of Cuba ransomware phishing. Varonis discovers Windows vulnerabilities. CISA expands KEV Catalog.


Tre Hester: The U.S. Department of Justice unseals three indictments in PRC spying cases. CERT-UA warns of Cuba ransomware group phishing campaign. Varonis discovers two Windows vulnerabilities. Mr. Security Answer Person John Pescatore on security through obscurity. Ben Yelin on the DOJ spying cases against China. And CISA expands its Known Exploited Vulnerabilities Catalog with six new entries.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Tuesday, October 25, 2022. 

US Department of Justice unseals three indictments in PRC spying cases.

Tre Hester: Yesterday, we reported some breaking news from the U.S. Justice Department concerning espionage cases involving Chinese intelligence services. More has emerged since then. To recap, the U.S. Department of Justice yesterday held a press conference to announce the unsealing of three cases against 13 Chinese nationals, including 10 Chinese intelligence officers. Attorney General Merrick Garland outlined the cases. 

Tre Hester: The first involved charges against two Chinese intelligence officers who allegedly bribed a U.S. citizen - a law enforcement insider - to reveal sensitive and non-public information about the U.S. prosecution of a Chinese telecommunications company. That insider, however, was a double agent and not someone the Chinese officers had successfully recruited as an asset. Quartz reports the two Chinese intelligence officers were fed false information by the U.S. government employee provided to the employee by the FBI. 

Tre Hester: Who is the Chinese company on trial in New York? One of the reporters asked directly, quote, "Was it Huawei?" end quote. But the Justice Department officials declined to name the Chinese company involved in the prosecution. Since then, however, the Wall Street Journal and others have reported that sources confirm that the company involved is indeed Huawei. The two men face charges of obstruction of an official proceeding and money laundering. They are, of course, in addition to the earlier bank fraud and racketeering charges the U.S. has filed against Huawei. 

Tre Hester: The second case involved the activities of a front Chinese academic organization that had allegedly been engaged in both theft of U.S. intellectual property and in the suppression of constitutionally protected free speech regarded as embarrassing to China. Four individuals were charged in that case. 

Tre Hester: Finally, the third case, in which seven individuals were indicted, involved China's Operation Fox Hunt, a long-running program of forcibly repatriating Chinese who have emigrated to other countries and who are regarded as a threat to the reputation or security of the People's Republic. Chinese agents are alleged to have hounded victims and their families with physical intimidation, frivolous lawsuits, threats and other harassment, with Foreign Policy reporting that the seven individuals indicted promised to make the victims' life a, quote, "endless misery," saying that these would not stop until the victims return to China. 

Tre Hester: Attorney General Garland said, quote, "As these cases demonstrate, the government of China sought to interfere with the rights and freedoms of individuals in the United States and undermine our judicial system that protects those rights. They did not succeed. The Justice Department will not tolerate attempts by any foreign power to undermine the rule of law upon which our democracy is based. We will continue to fiercely protect the rights guaranteed to everyone in our country, and we will defend the integrity of our institutions," end quote. 

CERT-UA warns of Cuba ransomware group phishing campaign.

Tre Hester: The Computer Emergency Response Team of Ukraine warns that it observed phishing emails that misrepresent themselves as coming from the press service of the General Staff of the Armed Forces of Ukraine. The emails invite the recipients to follow a link and download a document called Order_309.pdf. The victims are then taken to a page that informs them that they need to update their PDF reader. The link is malicious, BleepingComputer reports, and performing the bogus update installs the RomCom Remote Access Trojan on behalf of the Cuba ransomware group. Cuba has recently been active in the present war, hitting targets in Montenegro last month. 

Tre Hester: BlackBerry researchers describe RomCom's capabilities as follows - quote, "Main RomCom functionalities include, but are not limited to, gathering system information, disk and files information enumeration, and information about locally installed applications and memory processes. It also takes screenshots and transmits collected data to the hardcoded command-and-control. If a special command is received, it supports auto-deletion from the victim's machine," end-quote. Thus RomCom can function both as an espionage tool and a wiper. It's still fairly low-grade offensive work and still falls short of the devastation widely expected earlier in the cyber phases of Russia's hybrid war against Ukraine. 

Varonis discovers two Windows vulnerabilities. 

Tre Hester: Researchers at Varonis announced today that they'd discovered two Windows vulnerabilities they're calling LogCrusher and OverLog. Both are located in the operating system's Internet Explorer-specific Event Log. The vulnerabilities can be used to carry out denial-of-service attacks. LogCrusher allows the domain user to remotely crash the Event Log application of any Windows machine on the domain. OverLog can be exploited to induce a remote denial-of-service condition by filling the hard drive space of any Windows machine on the domain. OverLog has been fully patched and assigned to CVE designation CVE-2022-37981. Microsoft has not fully patched LogCrusher, which doesn't affect versions of Windows more recent than Windows 10K, but recommendations for remediation are available. In full disclosure, we note that Microsoft is a CyberWire partner. 

CISA expands its Known Exploited Vulnerabilities Catalog with six new entries.

Tre Hester: And finally, the U.S. Cybersecurity and Infrastructure Security Agency has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog. Two involve Cisco AnyConnect vulnerabilities, and the other four affect multiple Gigabyte products. In all cases, users are advised to apply the vendors' patches according to the vendors' instructions. Federal civilian executive agencies have until November 14 to check their systems and patch them as necessary. 

Tre Hester: Coming up after the break, Mr. Security Answer Person John Pescatore on security through obscurity. And Ben Yelin sits down with Dave Bittner to discuss the DOJ's spying cases against China. Stick around. 

Digitized Voice: Mr. Security Answer Person. Mr. Security Answer Person. 

John Pescatore: Hi, I'm John Pescatore, Mr. Security Answer Person. Our question for today's episode comes via Twitter from Steven Summers (ph). Steven posted a picture from a security conference that showed the Wi-Fi access point SSID and login password and asks, is it really a good idea to hop on a network in a large gathering of security professionals? Well, Steven, the short answer is it depends on what type of cybersecurity conference you're at. If it was all security awareness or governance risk compliance or identity and access management professionals, you might not have to worry so much. But if you're at DEF CON Black Hat or at a conference focused on pen testing or one making big bucks through bug bounty programs, you might might want to think twice. It could be like rubbing yourself with seal fat before taking a swim in the ocean. 

John Pescatore: Your question raises two other important issues. The first is, you really should not connect your laptop to any network, including the internet, unless you're sure that laptop is at least at the essential security hygiene level or higher. Security conferences aren't the only place where security experts are lurking - although, cybercriminals and state-based attackers on the internet are also professionals and experts. Go take a look at (ph), where the SANS Internet Storm Center takes user-forwarded logs and shows how quickly vulnerabilities are scanned for over the internet. Historically, the average time for a vulnerable Windows PC to be probed is about only 100 minutes. Automated scans set up by skilled bad guys are rampant. 

John Pescatore: The second point is the old debate over security through obscurity. Back in the day, it was common for vulnerabilities to exist, and vendors did not want to let anyone know until after the updated patch software came out. The idea seemed to make sense. Why give the bad guys a head start? But once Microsoft and others started issuing regular patch releases, giving credit to who discovered the vulnerability, it became obvious that a high percentage of vulnerabilities were being found by outside security researchers, what we call white hat types. If those white hats were finding them before the software vendors' own teams, you can be sure that the black hat types were too. Turns out security through obscurity doesn't work any better than putting your wallet in your sneakers when you go in the water at the beach. For criminals, out of sight is not out of mind. 

John Pescatore: But you don't have to don a suit of armor every time you go outside either or have very visible laser beams across every door and window in your house to be safe. That essential security hygiene level will keep your laptop safe from the vast majority of attacks that are likely to reach it directly over the internet versus those that go through the user, like phishing attacks. And throw in multifactor authentication, and you're ready to brave connecting to that network at most security conferences. 

John Pescatore: Back in the '80s, I worked for the U.S. Secret Service, providing technical security for trips by the president, vice president and others. The Secret Service can rarely say, don't go there, so the security model has to make sure an essential, protective hygiene level is always in place, which had a very visible - a non-obscure - outer layer of guys in suits with earpieces in their ears and guns under their suits. That was backed up by less visible layers of protection, much of which was in place regardless of the destination. 

John Pescatore: What are we getting at is this. You must maintain a due-diligence level of protection - what I'm calling essential security hygiene - independent of particular threats or dangerous networks at security conferences. You can't be prepared for advanced starts without doing at least that. When you integrate threat intelligence, you can raise the bar through a mix of improved people skills, stronger security processes and advanced technology. But you will almost never be able to tell the business, don't go there. And by the way, if you're in the hotel business, do tell the business side that if they book conferences of pen testers or vulnerability researchers, they better invest in going well beyond that basic essential level. 

Digitized Voice: Mr. Security Answer Person. 

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person. 

Digitized Voice: Mr. Security Answer Person. 

Tre Hester: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: So big story this week was the DOJ coming at some Chinese spies and accusing the Chinese government of malign schemes. Give us a breakdown here, Ben. What's going on? 

Ben Yelin: So early this week, the United States unveiled charges against two Chinese intelligence officers for - and I'm quoting The Washington Post article here - "attempting to subvert a criminal investigation into a China-based telecommunications company." The company itself was not revealed in the indictment, but based on anonymous sources and, frankly, common sense, it is... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Assumed to be Huawei, which has been under investigation by our Department of Justice since 2019. 

Ben Yelin: The allegations are pretty startling. So 10 individuals, who are Chinese intelligence officers or government officials, were working on the Chinese government's behalf to bribe a U.S. law enforcement agent to share secrets about this investigation. And this was a way, in the words of FBI Director Christopher Wray, to lie, cheat and steal their way into gaining a competitive advantage. Little did these suspects know that they were actually speaking to a double agent, who was pretending to be a friendly U.S. intelligence officer, but was actually working on behalf of the Department of Justice. And they ratted out these individuals. And as a result, for these individuals trying to meddle in this criminal investigation, the Department of Justice has unsealed these indictments. 

Ben Yelin: Now, the immediate impact of the indictments is somewhat questionable. We do not have a good working extradition treaty with China, so it's not like Chinese government officials are going to be hauled in front of a U.S. judge in the near future. But I think it can still certainly have an impact. For one, it shows the capabilities of our own intelligence agencies to root out this type of behavior, identify it, and try to dissuade other malign actors - particularly those that might not be closely associated with nation states - to try to engage in this espionage. And it's not fun when you're a foreign national and you have an unsealed indictment from the United States Department of Justice. It means if you go to any country with which we have an extradition treaty, you're risking being sent to the United States for arrest and prosecution. 

Ben Yelin: So certainly, these individuals, while they might not face immediate criminal consequences, their lives are going to be upended by this decision. And I think it signals a new strategy from this administration to hold the Chinese government accountable for violating international law and for trying to meddle in this investigation that we've been undertaking for several years now. And in that sense, I really think it sends an important message. 

Dave Bittner: Do you suspect that we'll see some sort of overt response from China, or will they stay quiet about it? 

Ben Yelin: I am certainly not in the business of predicting actions on behalf of the People's Republic of China. That is a fool's errand. Generally, they do engage in retaliatory practices, but sometimes they play the long game. So it's not like they're going to indict some of our own intelligence officers in the next several days. I mean, I think it's - where we're engaged in a - I don't want to say a cold war because I think that terminology has some pretty heavy connotations - but a long battle with our Chinese adversaries, particularly on trade secrets and the corrupt practices of intellectual property theft by the Chinese government and its agents. And so as part of that ongoing conflict, we're certainly prone to all different types of retaliation. Whether that's a cyberattack on our government or our businesses or some other type of espionage - I think that remains to be seen. This is sort of another shot across the bow in this really ongoing battle between our government and the Chinese government in this realm. 

Dave Bittner: All right. Well, certainly worth keeping an eye on. Ben Yelin, thanks for joining us. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefings at 

Tre Hester: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.