Indonesian election security. Watering hole in Pakistani passport site. RAT hunting. “Intelligence brute-forcing.” Just-patched zero-day exploited. PoS DGA attack. Operation Sheep. BND advises “nein” to Huawei.

Dave Bittner: [00:00:04:03] Indonesia says it’s got voting security under control and a lot of the problems sound like good old familiar fraud and dirty campaigning. Trustwave warns of a watering hole on a Pakistani government site. Recorded Future goes RAT hunting. Proofpoint offers a look at “intelligent brute-forcing.” Kaspersky reports on two espionage APTs exploiting a just-patched Microsoft zero-day. Flashpoint describes an unusual point-of-sale attack and Check Point find Trojanized Android apps. Germany’s BND warns against Huawei.

Dave Bittner: [00:00:45:02] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses to day isn't the outsider trying to get in, it's the people you trust. The ones who already have the keys. Your employees, contractors and privileged users. In fact, a whopping 60% of on line attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data. But to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:49:02] From the CyberWire Studios at DataTribe, I've Dave Bittner with your CyberWire summary for Thursday, March 14th, 2019.

Dave Bittner: [00:01:57:02] Indonesian authorities have said, after complaining of Russian and Chinese attempts to meddle with that country’s voting, that elections will go on as planned and that they expect the vote to be credible and fair. It’s no longer singling out Russia and China. There have been, authorities tell Reuters and others, what they characterize as “probes” from a range of foreign IP addresses (including Russia and China, but not limited to those two). In any case, the government says it’s confident of its ability to handle any disruptions. The opinion in Jakarta is generally that domestic finagling is probably more prevalent than any foreign influence attempts. So the threats are the more commonplace ones: rumor-mongering, campaign lies, and the sort of vote-buying any old-time Chicago ward heeler would recognize, like giving someone a turkey and a ride to the polling place if they and their deceased relatives could commit to voting for the machine candidate. They may make a lot of bean bags in Indonesia, but politics ain’t beanbag there, either.

Dave Bittner: [00:02:58:13] A number of security firms reported threat research results yesterday and today. We’ll run through some of them.

Dave Bittner: [00:03:04:19] Trustwave’s SpiderLab is warning of compromised Pakistani government sites serving keyloggers. The compromised sites belong to a subdomain of Pakistan’s Directorate General of Immigration and Passport that enables people to track their applications through the system. It’s effectively a watering hole attack that serves visitors Scanbox malware. Scanbox normally appears in the reconnaissance phase of an attack, where it’s used to gather the sort of information that will prove useful in subsequent targeted attacks. Spider Lab doesn’t offer any attribution for the Pakistani infestation, but they do note that Scanbox has been used in the past by Chinese APTs StonePanda and LuckyMouse. Whoever’s behind it, they may have noticed that Trustwave is on to them, since they appear to have gone quiet

Dave Bittner: [00:03:54:14] A significant number of attacks against corporate data are traceable to remote-access Trojans (RATs), many of which represent commodity malware traded in the criminal underground. Recorded Future this morning published an overview of RAT activity. They paid particular attention to Emotet, Xtreme RAT, and ZeroAccess. The researchers were interested in tracing the RATs’ command-and-control channels. Most Emotet controllers resolved to Latin America, as did a “significant proportion” of infected Emotet hosts in the automotive, retail, finance, energy, entertainment, logistics, construction, and technology sectors. Xtreme RAT infections showed some geographical diversity, turning up in European utilities and video game outfits, telecoms in the Middle East, South Asia, and East Asia, and at least one industrial conglomerate and an IT company, also in East Asia. The attackers’ motives are an interesting mix of financial gain--that is, straightforward theft--and street cred--that is, showing off their skills in front of the knucklehead hacker community.

Dave Bittner: [00:05:01:21] In the U.S. as citizens grow increasingly frustrated with what many consider unreasonable encroachments on their privacy, California is leading the way when it comes to consumer privacy legislation. Jeremy Tillman is from Ghostery, makers of the popular privacy focused web browser plug-in, and he offers this perspective.

Jeremy Tillman: [00:05:22:00] One interesting moment in the sort of U.S. legislative ecosystem where both parties are trying to stake out positions on consumer privacy, over the past couple of years with the growing in scales with Facebook with some of the increased scrutiny even on Google and Apple, I think both sides of the aisle are trying to find a message that appeals to voters. What's interesting though is that there's a lot of competing forces that are sort of playing a bit of a tug-of-war over what these Privacy Laws might be and I think it's pretty striking how they are similar to and how they might be different what GDPR is. So, I think the most well known one is the California Privacy Act which, in many respects is the strongest Data Protection Law in the U.S. By and large it's pretty much head and shoulders above anything else that has been proposed in the U.S. It is very strongly requiring consumers have a right to know what companies are collecting about them and whether their data is being sold. I think, compared to the GDPR, where it falls short is really in two ways. The first is that the GDPR has pretty strict requirements around disclosure by companies and the requirement for consumer opt-ins. Second, the GDPR also has really, really stiff penalties. In fact, I think Google recently had a 50 million Euro fine and those fines can go up to millions of dollars. The California Data Protection Act has far fewer teeth when it comes to the fines and I think that the biggest fine that a company could get for a single violation is like 7,500 bucks. So, if you're Google or Facebook or any of these big companies, it's more of a PR cost if you violate the California Privacy Act, but there's not a lot of financial risk here if you've got very aggressive data collection practices.

Dave Bittner: [00:07:16:11] And what about this notion that this should really be the first step towards some sort of national policy?

Jeremy Tillman: [00:07:22:13] So, in a weird way, the California Protection Act is, at the moment at least, the sort of de facto national policy, because there is no stronger law in the U.S. and because most of these tech companies are in California, it effectively is the only game in town. But there's definitely efforts to pass a watered down version of a Privacy Act that would supersede the California Privacy Protection Law. You can definitely sort of see how this plays out based on where the tech companies themselves are lining up and which things they fight against and which things they support. I think, most recently you've had sort of a flurry of different proposals. There's the recent one from Marco Rubio, The America Data Dissemination Act and it's interesting, that Act is very much vaguely worded and doesn't really include a lot of specifics, but what it does include is the fact that this would supersede any state laws. So, there's definitely an effort on behalf of, I think, tech companies in their lobby to get a watered down version of a Federal Privacy Act that rather than conflicts with their business models, perhaps entrenches it even further.

Dave Bittner: [00:08:31:04] That's Jeremy Tillman from Ghostery.

Dave Bittner: [00:08:34:13] There are surely many advantages to cloud services: economy, convenience, and indeed security, especially for smaller enterprises. But the cloud isn’t, of course, either foolproof or failsafe. Proofpoint released a study today in which it outlined how threat actors breach cloud accounts. They’re seeing a more complex and sophisticated approach to brute-forcing, sufficiently sophisticated as to perhaps no longer deserve the name of brute-forcing. Proofpoint calls them “intelligent brute forcing.” Attackers used password-spraying and credential stuffing, made easier by access to large credential dumps. These were followed with phishing for credentials that would give further access to corporate accounts. The goal is internal phishing and business email compromise, always more persuasive than attempts that obviously originate outside an enterprise. The endgame, of course, is usually theft of either money or data.

Dave Bittner: [00:09:30:03] Kaspersky Lab reports that a zero-day Microsoft patched this week, CVE 2019-0797, is being actively exploited by two espionage APTs, SandCat and FruityArmor. SandCat also uses CHAINSHOT malware and the controversial intercept tools FinFisher and FinSpy. FruityArmor’s been around for a while, and SandCat is a more recent discovery. Attribution is unclear, but the APTs appear to have a particular interest in Middle Eastern targets.

Dave Bittner: [00:10:05:14] Flashpoint researchers note an unusual point-of-sale campaign that's targeted mainly small and medium-sized businesses. DMSniff creates command-and-control domains using a domain generation algorithm. This makes the malware more resistant to domain takedowns by police or tech service providers. Flashpoint says this particular tactic hasn’t often been seen in point-of-sale attacks.

Dave Bittner: [00:10:30:11] Researchers at Check Point describe "Operation Sheep," in which Chinese IT and services firm Hangzhou Shunwang Technology is apparently scraping data (contact lists, geolocation, and QQ messenger login information) from Android phones via some twelve Android apps infected through a data analytics software development kit. The applications are available through third-party stores and seem mostly to affect users in China. Check Point thinks the app developers and the stores have been unaware of the data collection campaign. Shunwang may be doing its collection mostly domestically, but international concern about Chinese presence in infrastructure, especially in 5G build-outs, remains high. Germany is set to auction 5G licenses next week, and that country’s intelligence service has added its warning to those offered earlier this week by the European Parliament. The BND says that Huawei in particular is not to be trusted in the infrastructure.

Dave Bittner: [00:11:31:23] The CyberWire was at the Johns Hopkins University yesterday, attending the Cybersecurity Conference for Executives. The conference, organized by the Johns Hopkins Whiting School of Engineering and Ankura, concentrated on regulatory frameworks and trends, and the sometimes surprising impact of national, international, and state regulations on businesses of all sizes. You may not think you're interested in GDPR (or for that matter HIPAA, or CCPA), but as several experts explained, they're interested in you. Be brave, but don’t hesitate to seek help as these regulatory frameworks continue to evolve.

Dave Bittner: [00:12:14:07] It's time to take a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future. The real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and everyday you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of cyber attacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. And we thank Recorded Future for sponsoring out show.

Dave Bittner: [00:13:20:06] Joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, it's great to have you back. I wanted to touch base with you about the situation that's going on with the electrical grid down in Venezuela. Lots of intrigue there?

Robert M. Lee: [00:13:35:08] It's a really sad situation. Obviously, regardless of the cause of the outage you're talking about, massive outages across the country and ways that we already know people have died, a lot of folks are in hardship as well as just in general fear. Turmoil in their country exists and now they have to deal without the basic utilities of life, so it is an incredibly heart-wrenching kind of scenario that they in right now.

Dave Bittner: [00:13:58:21] Now, what do you make of President Maduro blaming the U.S. for this outage? He went so far as to say that "The U.S. conducted a demonic electromagnetic attack." I'm going to guess that a lot of people aren't taking that seriously?

Robert M. Lee: [00:14:12:12] No. You know, the original discussion was around a cyber attack. They kept pointing to and discussing a specific dam in their country the cyber attack took place at, but then it turns out that they didn't quite know where the outage was coming from: whether it was like a transmission line issue or generation issue, so they came right out of the gate saying hey, it's a cyber attack. We have the evidence and it's the United States. Then it turns out, not only do they not have evidence, but they didn't even know exactly where the outage was coming from, which definitely calls into question any discussion of attribution or belief that it was a cyber attack. Then, later on, they were talking about the electromagnetic aspect which was, if I remember correctly, even talking about weird drone-like devices that perched on top of the transmission lines and then performed this. I very overtly call into question their ability to know what a cyber attack or electromagnetic issue would look like. What I mean by that is the way that they're describing both the cyber attack and the way they're describing the electromagnetic pulse attack indicates to me that nobody involved in creating that story had familiarity with what a real one would look like and it's obvious in the way they describe it. So, I not only say that it is unlikely to be the case, but they really do not include the appropriate language to indicate that they're there.

Dave Bittner: [00:15:42:05] Isn't it interesting though that, you know, cyber attack becomes something that they can just toss out there as a cover to not blame themselves?

Robert M. Lee: [00:15:52:01] Yes, it is and this actually kind of harkens back to a couple of things that many of us in the community are warning about. I mean, I've written extensively about before on the need to have evidence presented with attribution and also the need to understand the implications of targeting infrastructure. So, on one hand, you know, when the United States comes out and does attribution on different countries, I think it's actually a good tool. I don't really think there's value in private sector companies doing the attribution they do. I've been a critic of that before. But for a government to come out and do so is an incredibly important part of international relations and their ability to dictate policy and action. But doing attribution without actually providing evidence, which we have done plenty of times before, some of the indictments the exact opposite really. But some of the times that we've done attributions as a country have been completely void of actual evidence and that sets a precedent where other countries can do the same. I think many countries do take the United States coming out and making claims of attribution much more seriously than Venezuela, but on the international scene I don't know that we should set that precedent that it is okay to do attribution without evidence. Like, if a country is going to come forward claiming sources and methods and hiding behind classified data, it's not going to be conducive to ever setting the standard that countries actually have to put up or shut up. Now that can be become tricky in areas like this. On the converse, going back to the cyber attack discussion. I don't this is a cyber attack. There's zero evidence to support it, but nobody can rule it out either, because, obviously, we're not on the ground looking at this case and I don't think it's a high chance but, you know, you can't just equivocally come out and say something is not something. But what I will say on this is, it is a good example of what I've kind of petitioned before which is get out of other people's infrastructure. If there is no such thing as a good guy or gal in terms of cyberattackers, it's the idea that any country could break into any other country's infrastructure like you're the bad guy. There's no, oh we're just here for intelligence purposes or oh, it's prepositioned to conflict or oh whatever. And I think modern countries struggle with this, of the desire to break into infrastructure for military planning purposes, but not necessarily do anything with it and the problem is you could accidentally cause an issue and we've seen that in attacks before. That is very likely what occurred in the German steelworks case in 2014. But this could be. I don't think it is. I don't want to start that rumor either. Like, I really don't think this is a cyber attack, but it's a good example of in aging and poorly maintained infrastructure, if a intelligence agency or military group breaks into an organization and accidentally does something to take down infrastructure, you open up this entire issue of not only political consequence, but potentially cascading issues where they're already poorly maintained, that infrastructure. There's already turmoil in that country. You could cause an issue that scales way beyond your control very quickly, where we are talking about loss of human life and that is just unfortunate. So, is this case cyber attack? I don't think so. There's nothing to support and with their jumping narrative, it does seem that they're just blaming anything and everything to distract from the actual issue. But it is a good example of the kind of issues that can come up if people are poking around in each other's infrastructure.

Dave Bittner: [00:19:23:08] Robert M. Lee thanks for joining us.

Dave Bittner: [00:19:30:06] And that's the CyberWire. Thanks to all of our sponsor for making this CyberWire possible, especially out supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. This CyberWire Podcast is proudly produced in Maryland out of the Start Up Studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire Editor is John Petrik. Social Media Editor, Jennifer Eiben. Technical Editor, Chris Russell. Executive Editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.