Archive for China

Five Eyes’ Intelligence Chiefs Accuse China Of IP Theft And ‘new cold war

Posted in Commentary with tags , on October 19, 2023 by itnerd

n an “unprecedented” joint call by the Five Eyes on Tuesday, the intelligence chiefs of the countries accused China of intellectual property theft and using AI for hacking and spying against its nations and called for private industry and academia to help counter those threats.

“China has long targeted businesses with a web of techniques all at once: cyber intrusions, human intelligence operations, seemingly innocuous corporate investments and transactions. Every strand of that web had become more brazen, and more dangerous,” FBI Director Christopher Wray said.

The FBI and the White House sent a warning Tuesday about how technology is being used dangerously, calling it the “new Cold War.”

“Because back in the day, it was more, ‘can I put more bombs and more missiles that point to you?’ Whereas these days it’s truly digital, where the information is, and also the spy component,” said Wray.

This meeting comes shortly after the Biden administration issued new restrictions on companies exporting AI technology to China and other countries.

Despite China having a bigger hacking program than that of every other nation combined, the Chinese government spokesman Liu Pengyu said the country was committed to intellectual property protection and denied the “groundless” allegations.

Ted Miracco, CEO, Approov Mobile Security had this comment:

   “Statements from the intelligence communities at the Five Eyes countries are a positive recognition of the persistent threat of Chinese espionage. However, this escalation is coming years, perhaps decades, after we had known about the blatant theft of intellectual property from China.

   “As open societies, we face significant challenges in competing against a closed society like China in the field of AI. China has a centralized governance structure, which gives it access to a large amount of diverse and centralized data, without a lot of ethical restrictions on how it will be used. In contrast, the Five Eyes countries face challenges in accessing similar volumes and types of data due to privacy concerns and legal frameworks that prioritize individual rights. China has also been aggressively investing in AI research and development, leading to a significant pool of talented scientists, engineers, and researchers.

   “The Five Eyes countries have well-established innovation ecosystems, including leading universities, research institutions, and a vibrant private sector that fosters a culture of innovation which can lead to breakthroughs in AI technologies. However, the question that remains is can open societies capitalize on these innovations, safeguard individual freedoms, and protect their valuable IP over the long term?”


David Mitchell, Chief Technical Officer, HYAS follows with this comment:

   “The PRC has been a cyber concern for as long as I can remember but has grown to become an existential threat over the last few years. The sheer number of motivated hacking teams, the scale of the toolsets and the coordination are unlike anything we’ve ever seen — and add AI to the equation and we have a serious problem. The private sector is not equipped to deal with such skilled nation state teams for a variety of reasons — a lack of network visibility, disjointed security platforms and understaffed organizations.

   “Without improvements in our security posture, products, and response, along with coordination between the private sector and government, it is hard to see this threat dissipating anytime soon.”

While China isn’t the only state actor that is out to steal all the IP that it can get, it is the biggest. Thus the threat that China poses must be taken seriously, along with doing everything possible to stop them from profiting from their desire to steal all the IP that they can.

Two File Management Apps On The Google Play Store Sending The Data Of 1.5 Million To China 

Posted in Commentary with tags , on July 11, 2023 by itnerd

A detailed in a report published by Pradeo, analysts discovered two file management apps on the Google Play Store to be spyware, secretly sending the user data of 1.5 million Android users to servers in China. 

Seemingly harmless Spyware apps, File Recovery and Data Recovery (1 million plus installs) and File Manager (500k plus installs), are developed by the same malicious group and assure users that no data is collected, automatically launch when the device reboots, and hides their icons on home screens.

Pradeo’s analytics engine has found stolen data to include contact lists, media files, real-time location, mobile country code, network provider details, SIM provider network code, operating system version, device brand, and model. Each app performs more than a hundred transmissions and then transmits the data to multiple servers in China which are deemed malicious.

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “The security issues related to this story are deeply concerning, albeit not surprising. The most fundamental problem is the false sense of security that consumers and businesses have related to app stores like Google Play (and Apple’s Appstore) in terms of actually protecting devices and individuals from these malicious apps. 

   “Both Apple and Google are actively promoting their security efforts at developer conferences, achieving record profits and sales while many of the apps available have huge discrepancies between their stated privacy policies and the actual information and data collected. These include both legitimate mainstream apps, that bend the rules without apparent consequences, and malicious apps that engage in deceptive behavior, claiming not to collect data while secretly doing so. 

   “App marketplaces must prioritize the implementation of more robust security measures to detect and prevent the infiltration of malicious apps that compromise user data.  It is also important for users to remain vigilant in protecting their devices and for businesses to be extremely wary of deceptive and modified apps that can compromise their data and their employers’ data. 

   “The fact that the data is being sent to malicious servers in China compounds the gravity of the threat while making it extremely difficult for consumers and businesses to mitigate the repercussions and long term damage that might occur from the stolen data. It also highlights the complex global nature of cyber threats and the importance of international collaboration in addressing such issues. 

   “Cooperation between security experts, app stores, and law enforcement agencies is vital to combatting these malicious activities and safeguarding user data, yet it is a monumental task that may take decades to be resolved, due to the complexity and competing global agendas.”

This illustrates why you shouldn’t just install anything on your Android or iPhone. Because you simply don’t know what the apps do and where your data is going.

Chinese Sponsored Hackers Target US Infrastructure

Posted in Commentary with tags , on May 25, 2023 by itnerd

Microsoft has said that it has found malicious activity by a Chinese-state sponsored hacking group that has stealthily gained access into critical infrastructure organizations in Guam and elsewhere in the US, with the likely aim of disrupting critical communications in the event of a crisis. 

In a report published Wednesday, Microsoft said the group, named Volt Typhoon, had been active since mid-2021, targeting organizations that span manufacturing, construction, maritime, government, information technology and education. 

Joe Saunders, CEO, RunSafe Security had this comment on this rather disturbing news:

“In all these attacks, denying the adversary the ability to target memory weaknesses in code is essential to thwart any additional steps in the attack, especially if  if we want to make our infrastructure resilient. Achieving cyber resilience is an urgent need for our country.”

Although Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States, even over decades of data theft from US systems, the country’s hackers have periodically been caught inside US critical infrastructure. Thus the time is to act now before these hackers escalate their activities beyond what they have done to date.

UPDATE: I have two more comments on this. The first is from Willy Leichter, VP, Cyware:

   “These state-sponsored groups are relentless in trying to get a persistent foothold in our critical infrastructure systems, and attacks are inevitable. While all organizations need to remain vigilant about tracking threats, and closing vulnerabilities, we really need to improve how quickly we disseminate critical intelligence industry-wide. Information sharing communities (ISACs) in critical infrastructure, energy, and other sectors are providing some of this intelligence, but we need much more wide-spread adoption and automation, so an attack on one system can be automatically defended against across an entire industry sector.”

Roy Akerman, Co-Founder & CEO, Rezonate followed up with this:

   “While described as novel, the TTPs mentioned in the report have been used for years. Webshells, Living-off-the-Land, command line, proxies for exfiltration. IOCs extracted are valuable but unfortunately have a short shelf life as attackers evolve their infrastructure. The report coming from CISA and NSA provide a fantastic insight on the techniques however you can also clearly identify where traditional EDR solutions will fall short against LOLBin use and how a layered defense approach is critical to augment and further provide critical context.”

Finally Steve Stone, Head of Rubrik Zero Labs concludes with this:

“Rubrik believes the combination of multiple private companies and several governments publicly reporting their findings is a great situation for the overall cybersecurity community.  In particular, the US Government and its partners are working to publicly report activity sooner than in the past at the cost of maintaining their potential access.  This demonstrable shift by the US government is a major step forward for private organizations.

“This activity is in-line with well-established Chinese hacking efforts.  This in no way undercuts the reporting, but its critical we view this as an existing assessment confirmation instead of net new activity.

“The continued focus on valid users and valid tools by threat actors presents one of the largest threats to the industry. The valid user is the most capable attack surface an attacker can gain.  Additionally, these types of actions are notoriously difficult to detect.  For all of these reasons, Rubrik is heavily investing in user intelligence in 2023, which we will combine with data trends.  We think this remains one of the largest problems to solve from a threat perspective.”

Google Blocks Chinese App Pinduoduo Over Security Concerns

Posted in Commentary with tags , on March 21, 2023 by itnerd

Google has suspended the Chinese shopping app Pinduoduo after discovering that versions of the app not in the Play Store have been found to contain malware and the current version is “not compliant with Google’s Policy”. With approximately 900 million users, Pinduoduo is one of China’s most popular e-commerce platforms.

“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” Ed Fernandez, a Google spokesperson said. 

Google Play Protect scans for malicious apps installed on Android phones and will recommend that users uninstall them. Play Protect currently prevents users from installing the Pinduoduo app.

Furthermore, a Pinduoduo spokesperson said in a statement to CNN, “We are communicating with Google for more information. We have been told that there are several other apps that have been suspended as well.” 

In a later statement Pinduoduo said it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google.”

It reiterated that “there are several apps that have been suspended from Google Play at the same time.”

Google Play has yet to confirm other suspended apps and has asked users with off-store, which is another way of saying side loading, versions to uninstall it.

Ted Miracco, CEO, Approov had this to say:

   “Mobile attestation is the process involved in verifying that the app was signed by a trusted party and has not been modified since it was signed. If mobile app developers use Google Play Integrity for the attestation process involved, they leave substantial end-users out of the process as both Huawei and Xiaomi smartphones typically do not have access to Google Play attestation capabilities and many Samsung devices support app attestation through their own Samsung Knox (a mobile security platform that provide security features, including app attestation). 

   “It is incumbent on developers to ensure that only genuine apps can access the APIs, otherwise they are opening up their users to the possibilities of malware or credentials being stolen from the app. Attestation across all mobile platforms is both necessary to protect APIs and to ensure the safety of the end users.”

I didn’t see a mention of the Apple versions of this app in the CNN story. I am guessing that because it’s much harder (but not impossible) to slip such code into apps on Apple’s App Store. And apps on that platform need to be signed. Plus side loading isn’t a thing on iOS. Some clarification on that would be handy. But if that’s the case, then as stated above, Google needs to move towards that sort of model as that will keep people safer.

Has A Chinese Police Force Been Pwned By Hackers Leaking The Data Of A Billion People?

Posted in Commentary with tags , on July 4, 2022 by itnerd

Reports are surfacing that a hacker is claiming to have acquired a huge dump of data containing the personal information via a hack of the Shanghai police. The dump of data would relate to one billion Chinese citizens:

The anonymous internet user, identified as “ChinaDan,” posted on hacker forum Breach Forums last week offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin BTC=, equivalent to about $200,000.

“In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen,” the post said.

“Databases contain information on 1 Billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details.”

Reuters was unable to verify the authenticity of the post.

This would be really embarrassing to the Chinese government if this proves to be true. And it would be the biggest data leak in history if this were true. And clearly the Chinese government is sensitive to that:

The hashtag “data leak” was blocked on Weibo by Sunday afternoon.

While this could mean that there’s something to this. It could also mean that the Chinese government is simply reacting to this as a matter of course. We’ll have to wait and see if this data leak is real. And if it is, expect fireworks as this would be a massive story.

NSA, CISA and FBI Expose Chinese Backed Exploitation Of Network Providers And Devices

Posted in Commentary with tags , , on June 8, 2022 by itnerd

The NSA, CISA and FBI have released a Cybersecurity Advisory called “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices“. This advisory centers around the fact that hackers aligned with China are using a variety of techniques to exploit publicly-known vulnerabilities in equipment, allowing them to establish a broad network of compromised infrastructure. The advisory also lists a number of mitigation strategies that organizations need to take to protect themselves.

Jason Middaugh who is the Chief Information Security Officer, MRK Technologies had this to say:

The latest Cybersecurity Advisory from the NSA, CISA, and FBI drives home the importance of good cybersecurity fundamentals such as keeping assets updated/patched, changing default credentials to strong passphrases, and requiring multi-factor authentication wherever possible.

Many companies make the mistake of focusing on implementing the latest and greatest high-tech hardware/software and overlook the basics like system hardening and asset lifecycle management.

It does not matter whether it is the PRC attempting to exploit the device or an international cybercrime syndicate, if you don’t do the basics well it is only a matter of time before an internet facing asset is compromised.

Clearly this advisory is required reading for all enterprises. Because at the end of the day all enterprises are at risk. And it doesn’t matter if it’s China, or a ransomware group. All enterprises need to reduce their attack surface as much as possible to ensure that they are as safe from attack as possible.

UPDATE: Chris Olson, CEO, The Media Trust had this to say:

“Zero-days and other vulnerabilities in networked devices are an overlooked national security threat, especially in the midst of mounting geopolitical tensions. Unfortunately, the problem is not isolated to IT infrastructure, but also extends to the software supply chain, popular apps and mainstream websites. Today, foreign adversaries are targeting American consumers and businesses through code, with no borders to prevent malicious activity. In addition to following the advice published in the joint cybersecurity advisory, organizations should regularly monitor their digital ecosystem for the presence of untrusted third parties and remove bad actors to protect their users.”

Huawei & ZTE Punted From Canadian 5G Networks…. What Took Canada So Long To Do This???

Posted in Commentary with tags , , , on May 20, 2022 by itnerd

Late yesterday news filtered out that both Huawei and ZTE have been banned from Canadian 5G networks over national security concerns. And any telco that are using their gear needs to rip it out ASAP. This mirrors similar moves by the US, UK, New Zealand, and Australia who along with Canada are known as the “Five Eyes” which is an alliance of these five countries to share intelligence. The difference is that Canada was late to this decision while the other four made this call years ago. Thus one has to wonder why it took Canada so long to make this move.

In my opinion, one factor had to be the Michael Kovrig and Michael Spavor situation where those two Canadian citizens were essentially held hostage by the Chinese government in retaliation for the arrest of Meng Wanzhou who is the CFO of Huawei in Vancouver and at the request of the US government. That eventually got sorted when the US cut a deal with Wanzhou which allowed the two Michael’s to be released by China as that’s how “hostage diplomacy” works. But even then, that was over a year ago and they are only banning Huawei and ZTE now. So that can’t be the only reason. Though it’s not clear to me what other reasons exist.

Regardless of what reasons exist, here’s the thing that really bothers me about this rather late decision by the Canadian government to ban Huawei and ZTE. If you accept that both of these companies are arms of Chinese intelligence, which I happen to believe to some degree, then this inaction by the Canadian government has given both these companies an inside look at not only the telecommunications networks in Canada, but how Canadians use those networks. Not to mention that they could have been doing who knows what to gather whatever information that the Chinese government wanted them to gather. All while the Canadian government sat on its hands and did nothing. So even though they’re now banned, Huawei, ZTE, and the Chinese government still win. And that highlights how the Canadian government has failed miserably on this issue.

When it comes to national security, governments have to take it seriously. They have to make decisions that lean towards ensuring security and they have to make those decisions quickly. That didn’t happen here, and I have to wonder if it is going to cost Canada down the road. Because it’s pretty clear that the Canadian government dropped the ball here, and there needs to be some accountability on that front.

Chinese Hackers Targeting Ukraine Says Google

Posted in Commentary with tags , on March 20, 2022 by itnerd

Google’s Threat Analysis Group (TAG) says that China has gotten involved in the Russia/Ukraine war by having its hackers target Ukraine. Google TAG Security Engineer Billy Leonard posted this to Twitter:

In case you’re wondering who Intrusion Truth are, they are a secretive group known for its work on exposing suspected Chinese hacking operations. So if they’re saying something that Google is confirming, then it’s pretty much fact.

This was backed up by Shane Huntley who runs Google’s Threat Analysis Group:

I wonder what the US Government thinks of these reports as US President Joe Biden has recently warned Chinese President Xi Jinping not to get involved in the Russian/Ukraine war. He was talking about weapons and the like. But maybe he should add this to the list as clearly China isn’t neutral when it comes to this war.

The Official Beijing Winter Olympics App Is Found To Be insecure By Citizen Lab

Posted in Commentary with tags , on January 18, 2022 by itnerd

In a report released by The University of Toronto’s Citizen Lab today, researchers analyzed the ‘My 2022’ Beijing Winter Olympics app and discovered the app is insecure when it comes to protecting the sensitive data of its users. The app’s encryption system carries a significant flaw that enables middle-men to access documents, audio and files in cleartext form. Researchers found that the ‘My 2022’ app, which is required for all athletes, members of the press and the audience to have installed, is subject to censorship based on keywords and has an unclear privacy policy that doesn’t determine who receives and processes sensitive data, thus violating Google and Apple’s App Store guidelines. 

Chris Olson, CEO at The Media Trust, an enterprise digital safety platform:    

“Poor app security is a leading cause of the rise in cyberattacks on mobile devices. While the security issues found in ‘My 2022’ are concerning, unfortunately they are not as unique as they appear. Not all mobile apps are susceptible to man-in-the-middle attacks, but most of them do contain undisclosed third parties who can access the same user data as the developer. Mobile users frequently assume that they are safe either because of app store policies, or because they have consented to terms of service – but third parties are not carefully checked by app reviewers, and they are rarely monitored for safety. They can be hijacked to execute phishing attacks, share sensitive data with fourth or fifth parties, suffer a data breach caused by lax security practices, or worse.”

I have to admit that if I were an athlete going to these Olympics and I read this, I may think twice about going. And it makes the move by the Dutch to have athletes keep their personal electronics at home look like a good decision.

Dutch Olympic Committee To Dutch Athletes: Don’t Take Your Phones And Laptops To The Winter Olympics In China

Posted in Commentary with tags , on January 12, 2022 by itnerd

Right now, China doesn’t exactly have the best public perception when it comes to being trustworthy. That’s on display via this Reuters article where Dutch Athletes are being told by the Dutch Olympic Committee to leave their phones and laptops at home when they go to the Winter Olympics that are being held in China:

Dutch athletes competing in next month’s Beijing Winter Olympics will need to leave their phones and laptops at home in an unprecedented move to avoid Chinese espionage, Dutch newspaper De Volkskrant reported on Tuesday. The urgent advice to athletes and supporting staff to not bring any personal devices to China was part of a set of measures proposed by the Dutch Olympic Committee (NOCNSF) to deal with any possible interference by Chinese state agents, the paper said citing sources close to the matter. NOCNSF spokesman Geert Slot said cybersecurity was part of the risk assessment made for the trip to China, but declined to comment on any specific measure. “The importance of cybersecurity of course has grown over the years”, Slot said. “But China has completely closed off its internet, which makes it a specific case.”

It will be interesting to see how China reacts to this. If they say nothing, you have to wonder why as that it implies that China is actually doing something. But if they react in an angry manner, then you might say exactly the same thing. And I can see a scenario where if other countries copy the Dutch, then the Chinese might really freak out as a result.

Get the popcorn ready.