Chinese cyber espionage in Malaysia and Japan. Android Bluetooth bug. Google expels suspect apps from the Play store. More Iowa caucus finger-pointing. US preps indictments of Chinese nationals.

Dave Bittner: [00:00:04] Chinese espionage groups target Malaysian officials, and two more Japanese defense contractors say they were breached, also by China. Google patches Android problems, including an unusual Bluetooth bug. Google also expels apps that wanted unreasonable permissions from the Play Store. Some in Iowa say the DNC pushed an eleventh-hour security patch to IowaReporterApp. The US may indict more Chinese nationals for hacking. And more Senate reporting on 2016 Russian influence.

Dave Bittner: [00:00:40]  And now a word from our sponsor, ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:01:28]  Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, February 7, 2020. 

Dave Bittner: [00:02:02]  More Chinese espionage campaigns are in the news today. MyCERT - that is, Malaysia CERT - has issued an advisory warning that a cyber-espionage campaign has been conducted against government officials in that country. They don't specifically call out the parties responsible, but sources listed among their references suggest that it's APT40. APT40 is generally believed, as ZDNet notes, to be a group of contractors working for the Hainan department of the Chinese Ministry of State Security. 

Dave Bittner: [00:02:33]  Two more Japanese defense contractors have joined Mitsubishi Electric and NEC in making delayed disclosure that they were breached by Chinese threat actors, BleepingComputer reports. Pasco Corporation was hit in May of 2018. Kobe Steel was compromised in June of 2015 and again in August 2016. Data appear to have been exfiltrated during the incidents. The outfit behind the campaign is thought to be Tick, also known as BRONZE BUTLER and REDBALDKNIGHT, a state-backed group with a focus on cyber-espionage and information theft. These disclosures are said to have been delayed because of the complexity of the investigation. The Ministry of Defense coordinated the announcements because, as a spokesman put it, the attacks should be publicly disclosed. It is necessary to get the world to know and think about defenses. 

Dave Bittner: [00:03:26]  A Bluetooth flaw that leaves Android devices open to compromise has been discovered. It's a particularly noteworthy issue because an attacker could exploit the flaw without user interaction. The problem arises when the device has Bluetooth in discovery mode - that is, when it's looking for another device to pair with. The Register suggests that prudent users will avoid using Bluetooth on Android devices until they've fixed the problem. A patch is available in Android's February updates. 

Dave Bittner: [00:03:56]  VPNPro, Trend Micro, and Cofense have found malicious Android apps in Google Play. Those identified by Trend Micro are interesting in that they post their own positive reviews in the Play Store - the better to attract downloads. Claiming to boost device performance, the apps' sock puppets tell potential users that they work just great. The effect is amplified by their use of the same text - great, works fast and good - accompanied by a standard four-star rating. Looks legit. 

Dave Bittner: [00:04:26]  VPN Pro connects the bad apps it found to Shenzhen HAWK Internet Co., a Chinese firm said to be behind the nominal developer of the five security apps among the suspicious 24 it found, Hi Security. Hi Security's apps, VPN Pro said, request especially dangerous permissions upon installation. What permissions count as dangerous? Well, things like access to a user's camera or the phone itself, and access to the phone would mean the app could place calls. Most of the apps can access the user's geolocation and read data kept on external storage. Fourteen of the 24 can collect and report details about the user's device and network. One of the apps wants to record audio on its own servers, and another one can access contacts. It's difficult to come up with legitimate reasons why an app might want to do these things, but they certainly look like the sorts of things spyware and fleeceware would wish to accomplish. Perhaps the company behind them can offer some clarification. 

Dave Bittner: [00:05:27]  Shenzhen HAWK, itself a subsidiary of TCL Corporation, a large and partially state-owned electronics company, told Forbes through its corporate parent that the whole thing is a misunderstanding. TCL said it takes its customers' privacy seriously and went on to explain: "we understand the actions Google has taken here in removing our applications from the Play Store, and we're actively working with them to better understand their concerns. We are also engaging an outside security partner to assist our teams in auditing each of our applications and set up ongoing auditing and monitoring to ensure we can offer the peace of mind and trust our customers expect from us." Naked Security reports that Google has yanked Shenzhen HAWK's 24 suspect apps from the store. And good riddance to them.

Dave Bittner: [00:06:15]  US Representative Sheila Jackson Lee, Democrat of Texas, asked FBI Director Wray at oversight hearings Wednesday if he intended to investigate the Iowa caucus, as it seemed to her the Russians may have interfered with the process. The suspicion is probably inevitable, but the representative seems to be an outlier in thinking the Russians interfered with her party's caucus. So far, there seems nothing to suggest that the problems at the caucus were rooted in anything other than a poorly designed and deployed app. 

Dave Bittner: [00:06:47]  There's been a fair amount of intraparty finger-pointing as the week draws to a close. The caucus tallies were completed yesterday, but amid a general mood of dissatisfaction. Tom Perez, chair of the Democratic National Committee, tweeted that he'd had enough and called upon the Iowa Democratic Party to recanvass because of problems with the ways in which the results were counted. The Iowa party pointed out, says The Washington Post, that it's up to the candidates to request this, not the DNC, and that they'd consider such requests, but from the candidates. The state party has extended the deadline for requesting a recanvass until noon Monday. 

Dave Bittner: [00:07:25]  And the Des Moines Register reports that Iowa party officials now blame a last-minute security patch the DNC demanded for the problems the Iowa reporting app experienced this week. John McCormally, a former member of the state party's central committee and this year a Polk County precinct chair, told the Register that, I know people say this was a conspiracy theory - that is, the party leaders - we're trying to rig results, but I don't think that's it at all. The DNC people are the people who literally had their emails hacked by WikiLeaks for the world to see. I think they are overly paranoid about hacking and security. 

Dave Bittner: [00:08:01]  McCormally gave the Register a copy of a communication he received Saturday evening that directed an eleventh-hour security upgrade for the Iowa reporting app. The state party would neither confirm nor deny that they were patching the app over the weekend, and the DNC itself said it had made an unnamed security vendor available to test the app but wouldn't say whether any patching was recommended. 

Dave Bittner: [00:08:24]  CyberScoop reports that the US Justice Department is preparing a fresh round of indictments of Chinese nationals for crimes related to cyber and insider industrial espionage. Assistant Attorney General for National Security John Demers wouldn't say when the indictments would be forthcoming, but he did say to expect them soon. 

Dave Bittner: [00:08:44]  And the US Senate has released the third volume of its projected five-volume investigation of Russian attempts to interfere with the 2016 elections. Politico's account of the report says the investigators found the previous administration generally unprepared to respond and uncertain of how to do so without appearing to improperly favor one candidate. This is probably understandable, given the unfamiliarity of the specific form the influence operations took and the relative novelty of the amplifying effects of social media. The administration did warn the Russians not to meddle and thought they'd induced Moscow to climb down at least a bit, but it now appears the Russians simply nodded and blew the Americans off. 

Dave Bittner: [00:09:32]  And now a word from our sponsor, KnowBe4. There's a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking time to maximize your organization's potential damage and their payoff. After achieving root access, the bad guys explore your network, reading email, finding data troves. And once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear. But don't panic. KnowBe4 is hosting an exclusive webinar where you can find out why data backups - even offline backups - won't save you, why ransomware isn't your real problem and how your end users can become your best last line of defense. Go to knowbe4.com/ransom and learn more about this exclusive webinar. That's knowbe4.com/ransom. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:10:44]  And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, great to have you back. I wanted to talk about hospitals and ransomware, but I wanted to come at it this time from the patient side of things. What sort of insights do you have there? 

Caleb Barlow: [00:11:01]  Well, this can be really impactful not just for the health care practice but for the patients as well. And, you know, if we go all the way back to the - you know, like, 5 B.C., you know, with the Hippocratic oath, we have to remember that doctors have a obligation to do no harm. And interestingly enough, part of that Hippocratic oath is maintaining that patient's privacy. 

Caleb Barlow: [00:11:24]  Well, you know, the challenge here when we talk about a ransomware incident is, first of all, remember; if the data can get ransomed, it can just as easily get stolen or extorted. And we're starting to see instances where when a hospital doesn't pay the ransom, the bad guys may try to extort them for the data. So, you know, you have both the privacy concern as well as the impact of getting locked up. 

Caleb Barlow: [00:11:45]  But I want to talk in detail about the problem when a hospital gets locked up. And remember - you know, let's take a case of grandma. And maybe grandma's getting old. She's at a nursing home. She's probably got a pretty complex cocktail of pharmaceuticals, right? Maybe some to manage dementia. 

Dave Bittner: [00:12:03]  Sure. 

Caleb Barlow: [00:12:04]  Maybe some to manage, you know, her health ailments. Well, the problem is when that electronic health care records system is locked up with ransomware, those physicians don't have access to any of that information, and it could be months before they get access to it again. So the first thing to keep in mind is anyone with a complex medical history - a lot of that history has to get started all over again with those nurses and physicians. And unfortunately, a lot of that, especially when we're talking about elder care, involve some level of experimentation to get that drug cocktail just right. 

Caleb Barlow: [00:12:38]  So it can have an immediate impact on patients that are inside of an institution, but it can also have an impact on, you know, emergency care. I mean, we've seen multiple instances over the last year where patients have to get diverted when a hospital gets locked up with ransomware because they can't access the medical records. They can't access history. And, you know, you may also see your surgery that was scheduled three months out get deferred because if you - if I can't see the notes from the doctor, if I can't see your past images and X-rays, I'm probably not comfortable performing that surgery. 

Dave Bittner: [00:13:11]  I think about my own situation. My parents are getting older. They're in that category of elderly. As someone who is looking out for them, does it fall on me to keep a running backup of their medical information so that, if something happened with their health care providers, I could walk in there with my own document and say, here's the latest, here's the history, have at it? 

Caleb Barlow: [00:13:35]  Well, I don't think we're quite there yet, but I think we're getting really close. And I'll tell you I've asked myself the same question with, you know, some elderly relatives. And I'm starting to think that's probably not a bad idea - right? - where at the very least, if you've got someone - I mean, let's face it. Some people's medical record is a book, right? 

Dave Bittner: [00:13:56]  Right. 

Caleb Barlow: [00:13:56]  You know, having a printed copy of that is probably not a bad idea because then at least you're not having to recreate all of that from scratch. 

Dave Bittner: [00:14:06]  You're not going through their medicine cabinet, pulling out prescriptions and walking in the doctor's office with a bag full of them and saying this is what was here. I have no idea what they're actively taking. 

Caleb Barlow: [00:14:16]  Well, and let's put it this - let's put it another way, especially if you have someone that maybe has, you know, a large number of pharmaceuticals at home part of regular care regiment, you know. It's not a bad idea to have a copy of what their - you know, what their prescriptions are on their medical history just with you, anyway, in the event of an emergency. So I think that kind of age-old advice just probably gets underscored a bit more here now that we're in the realm where a hospital can get locked up with ransomware. 

Dave Bittner: [00:14:45]  Yeah, it's - really is a fascinating thing to think about, how you think about patient advocacy, you know. You have to be your own advocate. Well, that extends to this cyber side of how hospitals run as well. You have to be prepared that you may have to sort of fend for yourself if these records get locked up. 

Caleb Barlow: [00:15:05]  That's exactly right. And, you know, we're seeing patients make changes based on this. Twenty-five percent of patients have changed their provider following a data breach, right? Now, you know, obviously, a ransomware incident where a whole institution goes down is going to be even more impactful. The other thing we just need to be aware of as - you know, as SISOs at hospitals start to get prepared, is what happens if you have a system-wide impact, you know. If you're using the same systems and tools not across one hospital but across five or 10 in a region, then the potential impact becomes far more devastating. 

Dave Bittner: [00:15:41]  All right. Well, it's good stuff to think about. Caleb Barlow, thanks for joining us. 

Dave Bittner: [00:15:50]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single-sign-on, password management and multifactor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multifactor authentication, securely authenticate into your work using biometrics - such as fingerprint or face - deliver a passwordless login experience for your employees while securing every password in use through Enterprise password management, and gain an integrated view across all access and authentication tasks and know which employees are accessing what, when and where. To learn more, visit lastpass.com. That's lastpass.com. And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:17:17]  My guest today is Matt Cauthorn. He's vice president of cybersecurity engineering at ExtraHop. He joins us with insights on the leading big cloud platforms and perspective on their similarities and differences when it comes to securing your data. 

Matt Cauthorn: [00:17:32]  If you were to consider, say, AWS versus an Azure, if you've got operational practices that are conducive to the Microsoft stack and Microsoft services, like active directory, Office 365 and that whole application ecosystem, it might make a lot of sense for you to deploy there in Azure. Comparatively, in the GCP sense, we see lots of retail there, frankly, because of competitive concerns with the big player. So we see lots of retail in GCP. And we also see lots of DevOps-y, Agile, container-centric folks deploying there as well. 

Matt Cauthorn: [00:18:09]  So from a raw functionality perspective, they're very, very similar to one another at the end of the day, you know. Taken collectively, they force some practice-level changes and - think sort of paradigm changes - for the operations teams as they migrate apps up into the cloud. 

Dave Bittner: [00:18:27]  Well, take us through some of that. When folks are going through this process, what are some of the things that they have to contend with? 

Matt Cauthorn: [00:18:33]  It seems like a lifetime ago, but I came from a traditional data center application delivery environment, you know. We had globally distributed data centers and, you know, 90 remote sites here in the domestic U.S. And federating highly available, secure and, most importantly, like an Agile application delivery ecosystem in that traditional setting was very, very tough, disproportionately hard, I would say. 

Matt Cauthorn: [00:19:03]  I'll give you an example. It's very difficult to be, like, a traditional router switch person. Let's just start with the lower-level network staff who keeps things up and running. It's very difficult to just superimpose that skill set and that way of thinking into a cloud setting because the cloud constructs - as you know everything is now code and everything is software. 

Matt Cauthorn: [00:19:26]  And security is built as one of the foundational bricks that was laid for all of these providers. So you can't neatly separate yourself from other operational concerns any longer. In the old setting, in an enterprise, you know, you have these operational silos. And there's all sorts of coordination costs that goes along with that, lots of - it's a very high-latency information model, frankly. And in the cloud, it forces you to break those barriers down. And now, you know, the person who sets up a virtual private cloud, which is a segmented network in the cloud - they can't separate that action with the subsequent security-centric actions that go right along with that. 

Dave Bittner: [00:20:09]  Yeah, I mean, it's a really interesting insight, just the separation of the physical from the virtual, you know. You can't - I'm imagining someone in the old days, you know, saying, hey, we've got a situation here. I need you to go behind the rack and start pulling power cables out of routers, you know. Like, you can't do that anymore. 

Matt Cauthorn: [00:20:28]  That's right, yeah, you know. We were - just last week, we were all in Seattle at corporate headquarters. And we were talking to a customer who had this deploy-and-destroy paradigm in the cloud, where, depending on workload and a business-level event, they were able to deploy a massive amount of compute to address some market-level need. And then they would just wipe it off the map when it was done. 

Matt Cauthorn: [00:20:54]  And if things don't work, if you need to make a change, you can, like, redeploy a multidata center deployment with a network that stretches across them and all of the subnets. And, you know, the infrastructure components therein - those can just go away and get recreated on demand. And so it's a very, very different - again, the agility and just the low latency of it all, of the infrastructure itself. It just changes the game in ways that are good and bad, frankly. 

Dave Bittner: [00:21:23]  Well, let's dig into to the other side of it, then. What are some of the potential traps that people have to be wary of? 

Matt Cauthorn: [00:21:30]  Well, so this is fairly well-trodden territory. And so I'll admit to an utter lack of originality here. But, you know, this shared responsibility model itself is something that I've seen personally with our accounts that are sort of at some stage of their - it's very dramatic term but their cloud migration journey, right? People are - everybody's got an initiative. And so one of the common things going back to the traditional data center model that I spoke to is just the shared responsibility model. 

Matt Cauthorn: [00:22:00]  There's, you know, the security of the cloud, which is - the service providers are going to be responsible for that, you know. The bare metal, the physical access, their employees and who can access systems with least amount of privilege and things like that. And then there's the security in the cloud. And on the Venn diagram of operational concern, there is a gray area there in the middle. And just wrapping your head around, you know, where your responsibilities stop and the providers start or vice versa is really step one. 

Dave Bittner: [00:22:35]  Are there common things that you see? The folks who are doing this well, the folks who are running in a sophisticated and mature way - are there things that they have in common with each other? 

Matt Cauthorn: [00:22:47]  Yes, absolutely. The number one, two and three thing is automation and standard configs. One of the beautiful things about the cloud in my opinion is that they're very well-understood and battle-tested design patterns that go along with very many or even most infrastructures or architectural designs. In AWS - and they've all got their flavor of this. But in AWS terms, it's the well-architected framework. They've got these design patterns that they themselves embrace as well as - you know. The customers over the years have learned these lessons, and they're very forthright about, you know, sharing that with the community. 

Matt Cauthorn: [00:23:26]  It's very, very difficult to achieve that in a traditional data center setting. But in the cloud, it's just there. So the automation capabilities from a configuration and change management perspective, security incident management or incident response perspective - the game just is completely, completely different in a very good way. And so the folks that embrace these new models of getting operational things done in a compliant-secure and agile way - they end up ahead of the curve. 

Matt Cauthorn: [00:23:57]  Recently, all of the cloud providers - the big three have announced either early access or have launched in generally available terms native packet-mirroring from their virtual switches. And for vendors like us, this is a huge development because one of the last-mile components of the visibility triad, which is logs, endpoint and network - the last one for the cloud is the network. And now it's this great enabler for network detection and incident response from the perspective of the network fabric itself. 

Dave Bittner: [00:24:33]  That's Matt Cauthorn from ExtraHop. 

Dave Bittner: [00:24:41]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:24:58]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Have a good weekend. See you next week.