Espionage for public health? (Disinformation against it.)
the cyberwire logoMay 4, 2020

News for the cybersecurity community during the COVID-19 emergency: Monday, May 4th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Espionage for public health? (Disinformation against it.)

China's COVID-19 disinformation campaign may have begun with social media suppression.

WIRED describes how quickly and comprehensively the Chinese government moved to suppress social media posts that dealt with the initial outbreak of COVID-19 in Wuhan. The efforts at suppression go back at least as far as the first week of January. How have reporters become aware of them? By following the maxim “Cover China as if you were covering Snapchat.” The posts have a brief life, so when you see something interesting, take a screenshot before the post is quashed and the account blocked for "spreading malicious rumors." Weibo and WeChat Moments are the most commonly used platforms on which ephemeral posts appear.

Avoiding embarrassment would surely have been a principal goal of the censorship campaign, but it may also have had a more direct, practical objective. The motivation for suppressing the news may in part have been motivated by plans to stockpile necessary medical supplies. The AP and POLITICO report seeing a US Department of Homeland Security report that says, in part, “We further assess the Chinese Government attempted to hide its actions by denying there were export restrictions and obfuscating and delaying provision of its trade data.” Before informing the World Health Organization of the epidemic's outbreak, Beijing significantly cut back exports and increased imports of such basic medical equipment as facemasks, gloves, and gowns.

Intelligence services continue to investigate the source of the outbreak. The Washington Examiner reports that a majority of the agencies in the US Intelligence Community now believe "with high confidence" that the COVID-19 pandemic originated in the Wuhan Institute of Virology. The release is believed to be accidental, and the virus is not thought to have been engineered. The alternative explanation, that the outbreak involved zoonotic transmission from Wuhan wet markets, remains a possibility, but it's losing ground. The Examiner also quotes US Secretary of State Pompeo as saying that there's "enormous evidence" of the lab's role in the initial spread of the virus.

British universities' COVID-19 research targeted by Russian, Iranian intelligence services.

Sources at the National Cyber Security Centre (NCSC) say that Russian and Iranian intelligence services are seeking to infiltrate the networks of medical research programs working on COVID-19, the Telegraph reports. The Telegraph's story suggests that these efforts are part of the same campaign US counterintelligence authorities discussed last week with the BBC.

That attribution isn't universally held, and the evidence is still being developed. The report in the Guardian, which quotes extensively from statements by NCSC indicates that the hackers could have been a criminal gang as easily as they could have been a nation-state, although those lines are in such cases often blurry. A report from ZDNet this morning adds China to the rogues' gallery of suspected states.

It pays to advertise.

SC Magazine has a round-up of expert observations on how the COVID-19 pandemic has affected the cyber underworld. Some of the changes are obvious, like the pervasive turn of scammers toward phishbait and fraud that take advantage of the fear surrounding the coronavirus.

One of the less obvious shifts has been in the profile the black marketeers present. Those who formerly sought to fly below the radar, visible only to a select clientele, are now seeking to reach as wide an audience as possible. And smaller players are taking advantage of what's perceived as an unprecedented market opportunity to attract more illicit business. In some cases this has achieved a self-defeating volume: even criminals don't like being spammed, and some of the more aggressive marketing has attracted negative customer reviews.

In the black markets themselves, demand for ransomware is up, and there's been strong demand for ransomware-as-a-service, but victims are less able to pay than they were before the pandemic's economic downturn. The gang's ransom demands have dropped somewhat as criminals trim their expectations to the new market reality.

The market for stolen credentials has taken a turn toward telework service providers. Zoom credentials, of course, are being heavily traded, but so are those deriving from other services as well. Since entertainment as well as work have moved into the home, streaming services like Netflix and Disney+ are also drawing criminal attention.

Cybercriminal markets have for some time been seen the growth of commodification, and that trend has increased. Phishing and fraud kits are trading briskly in the criminal-to-criminal market, with prices generally running between $3 and $25. Kits that enable criminals to embed malware into Trackers, maps, and other applications that provide information about the pandemic are especially in demand.

And, finally, cash is no longer king, at least not cash in the sense of conventional fiat money. Cryptocurrencies are clearly the criminals' preferred medium of exchange. We add the routine disclaimer that of course cryptocurrencies have many legitimate uses, and they're not inherently criminal or nefarious. But the crooks do like them.

CISA revises telework guidelines for US Federal agencies.

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued revised guidance for telework. CISA's new site includes the following elements:

Another case of online proctoring, and the privacy concerns it raises.

A turn toward online learning during the COVID-19 pandemic has led students to return, more strongly, to concerns they'd already had about online proctoring. The Verge has an account of one such product, Examity, and how it's being received by students. It makes them feel, for one thing, "creeped out." That in itself isn't necessarily damning; lots of things creep people out, and sometimes that's just part of the donnée. But Examity is designed as a tool for ensuring a reasonable degree of academic honesty, and so it asks for a great deal of information. There are conventional requests for full name, email, and phone number, more intrusive requirements to upload a picture of the student's photo ID to Examity’s website, and then collection of a behavioral biometric template from the student's keystrokes. The proctor, a live natural person, finally asks the student to show a webcam view of the entire desktop and its immediate surroundings.

Two other issues arose. First, some of the questions a student answered were such that Chrome autofilled credit card information. The student deleted it and moved on, but the numbers were briefly displayed on the page. It was Chrome autofill and not Examity that displayed the card number, but such are the difficulties inherent in stitching together an online service. And second, the proctoring was conducted over Zoom, which has had its own struggles with privacy as it's sought to keep pace with dramatically increased demand.

This is the second case of online proctoring to raise privacy concerns during the pandemic emergency. The CyberWire Pro Privacy Briefing earlier discussed another service, Proctorio, in its April 21st issue.