You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The US is grappling with Chinese cyber actors who appear to be building the capability to disrupt critical infrastructure during a potential military conflict. 

In late-breaking news, the US agencies responsible for cyber security and critical infrastructure have released an advisory about the group known as Volt Typhoon. 

The advisory states [emphasis added]:

The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organisations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behaviour is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

Volt Typhoon was a major topic of discussion at a US House Committee hearing last week. 

CISA director Jen Easterly told the hearing "we've seen Chinese cyber actors, including those known as Volt Typhoon, burrowing deep into our critical infrastructure to enable destructive attacks in the event of a major crisis or conflict". 

She emphasised that this threat was "not theoretical" and that "CISA teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors, including aviation, water, energy, [and] transportation". 

Easterly described these confirmed discoveries as "likely just the tip of the iceberg". 

The US government has already started taking practical steps to deal with the threat. On 31 January, the day before the hearing, the US Department of Justice announced it had disrupted what is known as the 'KV botnet'. This botnet, which we wrote about last month, comprises end-of-life small office/home office (SOHO) routers and was being used by Volt Typhoon for command and control.

This operation was limited to the US-based parts of the botnet, and the Justice Department's press release also states its actions were "temporary in nature". An owner restarting a router would make it vulnerable to reinfection. 

But despite these limitations, this operation—coupled with private sector action—appears to have had a real impact. Lumen Technologies also sinkholed the IP addresses used by the KV botnet's infrastructure, and the company's Black Lotus Labs thinks that the KV portion of the botnet is "no longer effectively active". (The botnet has two clusters, 'KV' and 'JDY': the JDY cluster is degraded but still operating.)

Beyond disrupting this botnet, there are, at least in theory, many actions an organisation like Cyber Command could take in response to PRC groups targeting US critical infrastructure. These could include compromising Volt Typhoon itself; targeting Chinese military systems for potential disruption; or even responding in kind by compromising Chinese critical infrastructure to be able to disrupt it in a time of crisis.

Dr Michael Mazarr, a deterrence expert at RAND, told Seriously Risky Business that, if you intended to deter the PRC, these types of cyber operations were subject to a "reveal/conceal dynamic". 

The question here, he said, was "you may have a certain capability, but when do you let them [the PRC] know that you have that capability?"

"You'd want them to know to deter them, but obviously in the cyber realm, by conveying certain things, you tip them off so they go looking for it and now you don't have it [that capability] anymore." 

"So that's just a constant dilemma."

Many of the options we've listed would seem to be useful should conflict occur, but not in preventing conflict in the first place. 

In his testimony to the hearing, General Paul Nakasone, the Director of NSA and US Cyber Command, was not focused so much on deterring PRC cyber actors as on "persistently engaging them". This involves using the "full spectrum of our capabilities to impose costs, deny benefits, and encourage restraint on the part of the adversary", he said. 

It's important to keep in mind this is all about Taiwan and that disrupting US critical infrastructure isn't an end in itself for the PRC. It is a supporting capability for potential military action against Taiwan.

And there are many ways, including diplomatic, military and economic measures, that the US could try to deter Chinese military action in the Taiwan Strait. If these types of deterrence are successful, Volt Typhoon's presence in US critical infrastructure is likely moot. 

Despite that, there is still a cyber-related element to deterring Chinese action. 

Mazarr told us "deterrence often fails when one side, one leader, one military thinks it has a scheme to avoid escalation, bigger costs, long wars". 

This meant making sure China did not think "it has some sort of magical off switch that can prevent the US from marshalling large numbers of forces for, say [hypothetically], four weeks".

To that end, the KV botnet disruption operation and this week's cyber security advisory covering Volt Typhoon are huge wins. And there are certainly many ways Cyber Command could make Volt Typhoon's life difficult and undermine the PRC’s confidence that the group could effectively disrupt US critical infrastructure. 

When it comes to communicating the risk to the public, however, the dynamic Mazarr describes poses a bit of a dilemma.

For language aimed at critical infrastructure operators and lawmakers, officials need to emphasise the threat to generate urgency and encourage action. But at the same time, you'd ideally like the PRC to think that threats to US critical infrastructure are no big deal. 

In the hearing Easterly was clearly speaking to the domestic audience. She mentioned the potential for "disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes all to ensure that they can incite societal panic and chaos and to deter our ability to marshal military might and civilian will". 

Fortunately, Mazarr is sceptical that foreign governments pay all that much attention to the language used in congressional testimony.

"I don't think they would put much store in those kinds of public comments at all". 

VPNs Wounded in Cyber Knife Fight

On Wednesday last week, the US Cybersecurity and Infrastructure Agency (CISA) issued an emergency directive for federal agencies to "disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure" products from their networks.

This is a CISA first, but we suspect it will not be the last time the agency directs network defenders to take what once would have been considered drastic and expensive remediation work.

In mid-January we covered the discovery of two 0days that could be used in concert to remotely compromise Ivanti Connect Secure VPN devices. After the publication of security advisories and information about the compromise, the actor responsible (called UTA0178 by security firm Volexity, which thinks it is likely a PRC cyber espionage group) shifted from quiet and relatively slow operations to widespread exploitation.

Since then, Ivanti and UTA0178 have been in a 'cyber knife fight', in which a series of defensive steps from Ivanti have been countered by the attacker. Ivanti's actions included the release of mitigations, integrity checking tools and patches. UTA0178 countered with  bypasses for Ivanti's mitigations and integrity checking tools, and also with a variety of webshells and backdoors. 

Other groups also joined in the fun after proof-of-concept code was published. Risky Business News has a good blow-by-blow of these events, including the discovery of two more vulnerabilities by Ivanti, one of which was being exploited.

On this week's Risky Business podcast, Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity, expanded on the reasons the organisation directed agencies to disconnect the devices.

"This was necessary given the degree of targeting and compromise around the world of the now three exploited vulnerabilities affecting these appliances", he said. 

"Every organisation running these devices absolutely needs to assume targeting and assume compromise."

After disconnecting the devices, CISA's directive says that to return them to service, agencies must factory reset and rebuild the devices, upgrade them to a supported version and revoke and reissue certificates, keys and passwords. 

Even worse, however, CISA says that "agencies running the affected products must assume domain accounts associated with the affected products have been compromised". CISA tells agencies to reset passwords, revoke Kerberos tickets and revoke cloud tokens.  

Goldstein also indicated these kinds of robust directives would be used again if necessary. 

"It is certainly the new normal that these sorts of edge devices are being targeted to extraordinary extent by APT actors... And so where we see targeting of this kind of device to this degree, this is absolutely the sort of action that we will direct where needed to drive the right level of urgency and response"

Goldstein is right when he talks about a "new normal". This is not the first time PRC-linked actors have operated so aggressively that defenders have been told to decommission devices. 

In mid-2023, a group compromising Barracuda Email Security Gateways deployed additional persistence mechanisms once its activities were discovered. These actions aimed to make eviction difficult, and Barracuda ultimately recommended that its devices be replaced because it could not guarantee permanent removal of the group’s malware. 

This also reminds us of the 2021 espionage campaign targeting Microsoft Exchange servers. The campaign was initially quiet but, we wrote at the time, "exploded into a frenzy of indiscriminate exploitation" in the days prior to Microsoft releasing a patch. 

Aggressive exploitation is bad news, but we wonder if it will ultimately encourage vendors to make more secure products? After all, who is going to buy products that regularly get compromised and require time consuming remediation work?

Three Reasons to Be Cheerful This Week:

1. FTC actions against data brokers on firmer ground: A US federal judge has ruled that the Federal Trade Commission's enforcement action against data broker Kochava could proceed. The judge's opinion says Kochava selling "highly granular" personal information could invade consumers’ privacy and expose them to significant risks of secondary harm. This means that the actual practice of selling people's geolocation data will be examined in court to see if it is unfair to consumers.  

2. US law firm Dechert pays to settle hacking claim: a US aviation executive, Farhad Azima, will receive more than £3m from Dechert to settle allegations that the firm hired Indian hack-for-hire firms to steal information from Azima for use in a lawsuit against him. 

3. Visa restrictions for commercial spyware peeps: The US government has announced that it will place visa restrictions on people involved with the misuse of commercial spyware. It is a relatively broad policy and could apply to developers at these companies and also covers immediate family such as spouses and children. Risky Business News has more coverage.   

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Haroon Meer of Thinkst Canary. They discuss how network attackers win, how their tactics have changed over time and what this means for network defenders.

Shorts

The Hack-for-Hire Streisand Effect

Wired's Andy Greenberg describes the backlash against a legal campaign to get articles about the Indian hack-for-hire industry taken down. 

In November last year, Reuters published an article about India's hack-for-hire industry. Legal action in India resulted in the piece being 'temporarily removed', in Reuters' words, and it is fighting the injunction in the Indian courts. 

This injunction was then leveraged in legal threats to get other publications to remove references to the Reuters article. 

An array of organisations, however, are fighting back against this legal strategy. Despite legal threats, investigative news non-profit MuckRock is still hosting the source documents used by Reuters' reporters and tech blog TechDirt has resisted demands to take down its articles. An anti-secrecy non-profit has also republished Reuters' original article.

Midnight Blizzard Attack Path

Andy Robbins at SpecterOps has published a reconstruction of the method Russian hackers known as Midnight Blizzard used to compromise Microsoft email accounts recently (disclosure: SpecterOps are a Risky Business sponsor). 

Patrick Gray and Adam Boileau discuss this in this week's Risky Business podcast at 11:40. 

Ransomware Again a Growing Problem

Blockchain analysis company Chainalysis has reported that cryptocurrency ransomware payments exceed USD$1bn in 2023. This is a new high, after 2022 saw 'only' USD$567m in payments.

This is partly attributable to the Russian invasion of Ukraine, but the Chainalysis report also examines the impact of the FBI's Hive disruption operation and takedown. In this operation the FBI gained access to Hive's IT infrastructure and, for months, provided decryption keys to victims affected by the ransomware. This directly prevented USD$130m in payments, but Chainalysis reckons it might also have had broader systemic effects that saw about USD$200m of payments averted.   

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about what up and coming countries should expect from a cyber command and whether they should invest in them. 

From Risky Biz News:

Two Iranian cyber groups get doxed in a week: The identities of two Iranian cyber groups have been exposed over the course of seven days last week.

The US government linked the Cyber Av3ngers group to six individuals working for the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), while a report from Iran International linked the Black Shadow group to an Iranian IT company named "Raahkarha-ye Fanavari-e Etela'at-e Jahatpardaz" (or Jahatpardaz Information Technology Solutions).

The "doxing" events come as Iranian cyber activity entered a new and more aggressive stage after Iran-backed Hezbollah attacked Israeli territories on October 7 last year.

[more on Risky Business News]

EU commits to not pay ransoms: During a visit to Washington this week, EU Commissioner Thierry Breton formally committed the EU and its 27 member states to the Counter Ransomware Initiative. As part of this project, member states have pledged not to pay ransoms to cyber criminals. More than 50 countries across the world pledged to support the project, although none have passed laws officially banning ransom payments yet.

Pig-butchering leaders arrested: Chinese officials have arrested ten Myanmar nationals who allegedly operated large-scale cyber scam centres in Myanmar's northern Kokang region. The suspects were detained after China issued an international arrest warrant in their names at the start of December last year. All ten are believed to have had leadership roles in running the scam centres, and some were also members of the Kokang Border Guard Force. The suspects were handed over to Chinese authorities on January 30.

Image via Irrawaddy

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The National Security Agency (NSA) has been embroiled in a US Senator's campaign against intelligence agencies' purchase and use of data obtained illegally by data brokers.

US Senator Ron Wyden, a member of the US Senate Select Committee on Intelligence, is pushing to stop US intelligence agencies buying Americans' personal data obtained illegally by data brokers.

Wyden announced the push in a recent press release in which he announced the release of letters saying the NSA was buying 'internet records' that could reveal what websites Americans visited and the apps they used. 

It then segues into a call for the administration to stop agencies buying personal data obtained illegally by brokers. Recent Federal Trade Commission (FTC) actions indicate that data brokers are sometimes not obtaining informed consent from people whose data they capture, implying that their products are illegal.   

General Paul Nakasone, Director of the NSA, explained the NSA’s data purchase regime in a letter to Wyden, linked to from the Senator’s press release.

In our view, the NSA's regime is defensible and Wyden would be better off focusing on other targets.  

Nakasone admits that the NSA buys what he referred to as ‘CAI’ or commercially available information. However, he details the steps that NSA takes to make sure that the CAI it buys is valuable to its intelligence and/or cyber security missions, is lawfully acquired, that information about US persons is minimised, and that purchase of CAI is regularly reassessed for value rather than purchased on autopilot.

The NSA is also buying data that is filtered to focus on malicious activity, rather than providing a full picture of Americans' movements and actions. That data is aggregated from network operators and ISPs, rather than collected directly from individuals under potentially misleading terms and conditions. 

Nakasone was at pains to make it clear that NSA did not purchase the types of location data that have been the subject of the recent FTC actions. He wrote:

NSA does not buy and use location data collected from phones known to be used in the United States either with or without a court order. Similarly, NSA does not buy and use location data collected from automobile telematics systems from vehicles known to be located in the United States.

This is good news, because the sale of people's location data is an extremely concerning practice. Geolocation data brokers claim their data is anonymous, but they typically use device identifiers that are stable over time. This means that devices can be correlated to individuals by looking at travel patterns, such as journeys between home and work addresses, for example. 

Once a link between a device and a person is established, this identifier can then be used to unravel a person's location history, including sites they might consider sensitive. We've previously covered the use of this type of data to harass a person before and government purchases of this kind of data are problematic.

The NSA does, Nakasone explains, "buy and use commercially available netflow (i.e. non-content) data related to wholly domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad." 

Netflow is comprehensive summary data that captures how traffic flows across the internet and can hint at the type of data being sent. 

We have previously covered the steps commercial vendors of netflow take to mitigate privacy risks. Unlike 'protections' applied by geolocation data brokers, these are meaningful mitigations. For example, the data involved isn't comprehensive, but is instead filtered when it is ingested for flows that are known or suspected to be malicious.

Netflow records have legitimate cyber security uses too:

If the aggregated data covers a particular cyber security incident, researchers can drill down to see what traffic was occurring at a particular point in time. Joe Slowik, Principal Security Engineer at Gigamon [Ed: now at Mitre], says netflow "can be exceptionally valuable in monitoring [command and control] C2 channels to go from victim-facing C2 nodes to actual adversary infrastructure. It can also serve as ground-truth data for exfiltration activity."

We would be surprised if some US government agencies had not purchased and used data obtained illegally by data brokers. But we don’t believe the NSA’s use of netflow falls into this category. 

Microsoft's Dark Winter Gets Colder

Microsoft's Midnight Blizzard breach just keeps getting worse. The compromise, which we wrote about last week, took advantage of a string of security failures from Microsoft, but at the time, the attack appeared to be restricted to Microsoft itself. 

The company's post announcing the incident said the Russian hackers had "access[ed] a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions". 

However, last Thursday, a follow-up announcement said that the vendor had since learnt that "the same actor has been targeting other organisations and, as part of our usual notification processes, we have begun notifying these targeted organisations".

In the same announcement, Microsoft also provided more information about the techniques used in the attack. This included more detail about initial access using a password spray (attempting to access a large number of accounts with a small number of popular passwords), creating a highly privileged OAuth application, and the use of residential proxies to obfuscate connections to command and control servers. 

There is some careful wording here. The post doesn't necessarily imply Midnight Blizzard had been successful attacking other organisations, or that it was able to take advantage of the same Microsoft SNAFU in these other attacks. However, on yesterday's Risky Business podcast Patrick Gray said that multiple sources were saying that the "number of victims of this particular set of TTPs was in the triple digits".  (Other journalists are hearing the same thing.)

One organisation has already fessed up to being impacted by the same actor. Last week, Hewlett Packard Enterprise (HPE) filed its own SEC disclosure statement saying Midnight Blizzard had popped its cloud-based email environment (Microsoft Office 365) beginning around May last year. 

In its latest post on the incident, Microsoft says these were all mistakes of the past and that its security has improved since then:

If the same team were to deploy the legacy tenant today [Ed: a legacy tenant was patient zero in this attack], mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks.

That's so good! It's only all of Microsoft's previous customers that have to worry. What a relief!

Election Disinformation Continues to Evolve

A report from the Australian Strategic Policy Institute, released shortly after the Taiwan election, provides a first glimpse at the PRC's evolving cyber-enabled interference tactics. 

This newsletter's last edition of 2023 examined election interference and pointed to the Taiwanese election as one to watch. The PRC has a strong preference for the opposition Kuomintang Party, which favours closer ties with the mainland, as compared to the incumbent pro-independence Democratic Progressive Party (DPP). It also feels free to engage in various different types of election interference. 

Prior to the election, for example, the PRC had used 'friendship tours' to cultivate Taiwanese politicians, used economic coercion and even threatened military action. Cyber-enabled interference is just one arrow in the quiver.

The election was held on January 13 and was a win for the incumbent DPP. The report was released just five days later and — beyond now-standard spammy inauthentic social networks — shows increasing use of both AI technologies and 'leaking' of falsified information. 

The report notes that generative AI technologies were used to create avatars and also content, including what appears to be a virtual presenter or 'speaking portrait' the report says was created by US-based company D-ID. 

There are also attempts to provide what look to be forged documents with authenticity by distributing them as 'leaks' on sites such as BreachForums. The report documents both an alleged leak of Taiwanese government documents and also a fake DNA test that purported to show that the Taiwanese Vice-President had an illegitimate child were both posted to BreachForums. These posts were then amplified by inauthentic looking accounts on X, Facebook, YouTube and on other online forums. 

This contrasts with the US 2016 Presidential election. In that election, Russian operatives stole genuine emails from various parts of the Democratic party, and the impact of subsequent leaks of this material were amplified by the reporting of mainstream media.

In this Taiwanese election, the leaks weren't genuine and the mainstream media didn't amplify them. Perhaps, to some degree, Taiwanese society is even inoculated to this kind of interference. The government has raised awareness of the problem and there are many civil society organisations that counter disinformation.  

So, despite the PRC's evolving efforts, the report assesses that these efforts had "minimal impact on the integrity of election results". 

Three Reasons to Be Cheerful This Week:

1. Prolific swatter arrested: US law enforcement officers have reportedly arrested the country's most prolific swatter, a 17-year-old from California known as 'Torswats'.  

2. Scattered Spider Arrest: Krebs on Security reports that a Florida man arrested for SIM-swapping and related crimes, Noah Michael Urban, is a key suspect in the string of Scattered Spider aka Oktapus hacks. These incidents affected a swathe of high profile US technology companies during 2022.

3. US disables Chinese hacking infrastructure: The US has launched an operation to disable a botnet used by Chinese espionage groups, according to Reuters. Per Reuters, the government  "sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign". We wonder if this is a lot of disabling, or just a little? Just a few weeks ago we wrote about the 'KV botnet', a botnet made up mostly of end-of-life devices and used by PRC cyber actors, including Volt Typhoon, a group that is worrying because of its apparent intentions to disrupt critical infrastructure in the event of military conflict. 

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Bradon Rogers, Chief Customer Officer at enterprise browser Island, on how a modern enterprise browser solution like Island can be used to replace, complement, or enhance some enterprise security tools or technology stacks.

Shorts

SolarWinds Hits Back Against the SEC

US company SolarWinds has filed a motion to dismiss the Securities and Exchange Commission's (SEC) complaint against the company and its CISO, Tim Brown. 

SolarWinds and some of its customers were compromised in a 2020 supply chain breach by Russian state-backed hackers.

The crux of the SEC's case is that SolarWinds and Brown defrauded investors by "overstating SolarWinds' cyber security practices and understating or failing to disclose known risks". In its dismissal motion, SolarWinds argues it made "repeated warnings" about its vulnerability to "the pervasive risk of cybersecurity attacks". And it also says that after it discovered it had been compromised it promptly disclosed the attack.

We have some sympathy for SolarWinds position here, and sincerely doubt that investors care all that much about cyber security risk. It can cause serious disruption, but most of the time these ructions are short-term and don't seem to much affect the long-term value of a company. 

However, part of the SEC's argument was that SolarWinds' disclosures were "boilerplate" and only contained "generic and hypothetical risks that most companies face". So although SolarWinds repeatedly warned of cyber security risks, those warnings were effectively meaningless. 

Companies may as well just say "we are a modern company, cyber security in general is difficult and we could get massively pwned and rekt at any time" and be just as accurate. That can't be right either.

More on Ermakov

Krebs on Security wraps up what is known about Aleksander Ermakov, the alleged Russian cyber criminal who was sanctioned by the Australian, US and UK governments last week. 

NSO Still Not Dead

NSO appears to be trying to rehabilitate its image and has issued a new transparency report. Wired wraps up the various lobbying efforts the firm is making including providing help to Israeli security services in the Israel-Hamas war. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how the war in Ukraine is showing how useful mobile devices are in war. Using them is risky, but those risks need to be managed. This episode refers to this report on location tracking of phones on the battlefield..

From Risky Biz News:

GUR hack in Russia: One of Ukraine's military intelligence agencies says it hacked and wiped servers at IPL Consulting, a Russian company that provides IT services for Russia's industrial sector. Officials from Ukraine's Defence Intelligence Main Directorate (GUR) say they wiped more than 60TB of data from dozens of servers and databases. GUR officials say they also worked with a group of "unknown cyber volunteers in Russia" to cripple the infrastructure of Akado-Telekom, an ISP used by the Putin administration, the FSB, the FSO, the Moscow local administration, and Sberbank.

DOJ and FTC tell companies to stop deleting chats: Federal investigators are warning companies not to delete chats and preserve conversations that have taken place via business collaboration and ephemeral messaging platforms.

In press releases on Friday, the US Department of Justice and the US Federal Trade Commission announced that they updated the language in their preservation letters and specifications—documents they send to companies under federal investigations.

The new language updates evidence preservation procedures to cover modern tech stacks such as Slack, Microsoft Teams, and Signal.

[more on Risky Business News, including reports of Amazon and Google executives using auto-deleting messages when faced with anti-trust lawsuits]

Brazil spyware scandal: Brazilian authorities have started an investigation against the country's former intelligence chief for organizing a mass surveillance campaign against the political rivals of former president Jair Bolsonaro. Brazilian Federal Police say they raided several homes owned by Alexandre Ramagen, the former head of ABIN, the country's intelligence agency. Officials say Ramagen created a "parallel structure" inside ABIN that targeted state governors, lawmakers, judges, and journalists. The ABIN unit allegedly used a spying tool named FirstMile, developed by Israeli company Cognyte. [Additional coverage in El Pais]

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Office worker with a computer trapped in a web, Stable Diffusion

The Australian, US and UK governments have upped the ante against cybercriminals by launching coordinated sanctions against a single individual involved in a significant extortion attack.

On Tuesday this week, the Australian government announced financial and travel sanctions targeting Aleksandr Gennadievich Ermakov, a Russian national, for his role in the hack of Medibank Private, an Australian health insurance company. 

Australia employed its cyber sanctions regime for the first time in this case. On the same day, the US and UK governments sanctioned Ermakov. 

This was a nationally significant hack that affected a meaningful proportion of the Australian population, and was made worse by the hackers' attempts to apply extra pressure by releasing sensitive information to the dark web. The more appalling releases included a file 'abortions.csv' that contained more than 300 claims made by policyholders in relation to pregnancy terminations and miscarriages, and another called 'boozy.csv' containing details of alcoholism-related treatment. Ultimately, all the stolen data was published.

The Australian government mounted a whole-of-government response that included the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD), as well as the health and service delivery departments. 

At the time, Clare O'Neil, Australia's Minister for Cyber Security, thanked the AFP and ASD for the "intensive work that is underway to hunt down the attacker". 

It looks like that work paid off, and we love that the Department of Foreign Affairs and Trade released to the media a webcam photo of Ermakov.

Russian law enforcement action against cyber criminals in these types of cases just doesn't happen, so coordinated sanctions are one of Western governments’ better options. 

In 2019, the US sanctioned Evil Corp and, in 2023, the US and UK sanctioned 18 members of the TrickBot gang in two different tranches over the course of the year.

In addition to the direct effects of sanctions on individuals, such as curtailing financial options and travel destinations, sanctions also appear to affect cybercrime business prospects. Victims are reluctant to pay sanctioned individuals or groups and as a result other criminals avoid being associated with these entities.

At the Australian press conference announcing the sanctions, Abigail Bradshaw, head of the Australian Cyber Security Centre, pointed out that "cybercriminals trade in anonymity".

"It is a selling quality, and so naming and identifying with the confidence that we have from our technical analysis will most certainly do harm to Mr Ermakov's cyber business", she continued.

We don't think sanctions against criminals will 'solve' cybercrime, but should be applied to deter the worst behaviour. But given there is really a lot of unacceptably bad behaviour going around, more sanctions is good news.   

Subscribe now

Microsoft's Midnight Blizzard: Cold, Dark and Insecure

Microsoft's latest security clanger is, well, unbelievable.

Late last Friday Microsoft revealed that it had been successfully compromised by a group it calls Midnight Blizzard. This group has been attributed by the US and UK governments to Russia's Foreign Intelligence service, the SVR.

A single paragraph from Microsoft's announcement contains all the important details:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.  

The company then had the cojones to write "the attack was not the result of a vulnerability in Microsoft products or services". This is technically correct, in that none of Microsoft's systems had a formal cyber security vulnerability or CVE. But it only makes sense if you only speak cyber jargon and not English and think that 'absence of security' is not a vulnerability. 

In this incident Midnight Blizzard took advantage of a string of Microsoft security failures to achieve their apparent goals — a test account was given extensive permissions that weren't removed after testing was completed; the account was not protected from basic password spraying attacks; and the account was not deactivated when testing was finished.

US Senator Ron Wyden told CyberScoop that "this is yet another wholly avoidable hack that was caused by Microsoft’s negligence".

We've written before about Microsoft's subpar security culture. In announcing this incident, the company wrote:

For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.

This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.  

Well, duh. Microsoft finally seems to be realising that to improve its own security it might need to prioritise it over some of its other efforts. When it announced its Secure Future Initiative late last year this kind of language that elevated security was entirely missing and was the key reason we were underwhelmed by the launch of Microsoft's 'security reset'.

These paragraphs contain the right message, but it's disappointing that this message is coming from the relative backwater of the Microsoft Security Response Center rather than, say, CEO Satya Nadella, President Brad Smith, or even Security Vice President Charlie Bell. Microsoft is being dragged kicking and screaming to actually reprioritising security, one awful breach at a time.

SEC Disclosure: How Much is Too Much?

Microsoft’s decision to disclose the Midnight Blizzard breach to the US Securities and Exchange Commission (SEC), without determining the incident’s material impact, may prompt a surge of non-material cybersecurity disclosures. Whether this is actually an issue depends on the perspectives of stakeholders in this process.   

While some company cyber security leaders argue Microsoft’s decision will clutter the SEC channel and increase the burden on companies of preparing disclosure announcements, the SEC and industry observers believe more cyber security incident disclosure is vital.       

On December 18 last year a new US Securities and Exchange (SEC) rule on the disclosure of material cyber security incidents came into effect. This rule requires that companies inform the market within four days once they've determined that a cyber security incident is material. In this rule, the SEC says information is material:

if "there is a substantial likelihood that a reasonable shareholder would consider it important" in making an investment decision, or if it would have "significantly altered the 'total mix' of information made available." "Doubts as to the critical nature" of the relevant information should be "resolved in favour of those the statute is designed to protect," namely investors. [Ed: quotes here reference various court cases]

In its SEC disclosure, filed on January 19, Microsoft writes that "the incident has not had a material impact on the Company’s operations" and it "has not yet determined whether the incident is reasonably likely to materially impact" the company's financial results or operations. 

One CISO we spoke to said "I guess Microsoft is acting the way we’d expect but it’s just confirming the bummer of a new world we’re in".  

"Companies will be filing 8-Ks all over the place and cluttering up the SEC channel with non investor-relevant crap", he added. (Ed: 8-K's are the SEC form used to disclose significant events)

"The burden to get an 8-K out is enormous and has a long tail of cost and follow up headache so makes the burden of transparency very expensive. And now that Microsoft went first we’re even more committed as an industry to the emerging precedent."

However, Microsoft is not the only company erring on the side of transparency. Even before Microsoft's disclosure, on December 29 last year, First American Financial Corporation disclosed a cyber security incident despite not knowing yet having determined that it would be material. 

In its disclosure the company wrote that it "continues to assess whether the incident will have a material impact on the Company’s financial condition or results of operations, which at this point cannot be determined".

For the SEC, the underlying drivers that require stronger disclosure requirements are that, in the words of Erik Gerding, its director of Corporation Finance, "disclosure practices have remained inconsistent", while "cyber security risks have increased alongside the ever-increasing share of economic activity that depends on electronic systems". 

That seems fair enough. Of course, we'd rather see companies spend money getting security right rather than on disclosure statements that jump the gun.

Flying High: What Critics of the CSRB Get Wrong

As US lawmakers consider whether to permanently establish the Cyber Safety Review Board (CSRB), a US Senate hearing has raised questions about how it operates.

Some criticism has focussed on the extensive private sector involvement in the board and the potential for conflicts of interest to arise. The current board is half senior federal government cyber security officials and half cyber security luminaries from the private sector and academia. Another point of criticism is the fact all CSRB members have full time day jobs. 

In our view, the CSRB's mixed public-private composition is absolutely necessary to have any impact in today's cyber security environment. 

The CSRB has so far produced two excellent reports that have examined systemic issues and are unique because they try to identify root causes and develop recommendations that directly address them. 

Its first review looked at the Log4Shell vulnerability and supply chain security more generally, and, based on our Seriously Risky Business high-level summary, found "supply chain security is massively underdone". The second report looked at the outrageous success of Lapsus$-style hackers with our summary being that "current cyber security practices are ineffective against a new breed of hackers".

The CSRB is often compared with the National Transportation Safety Board (NTSB), the US agency that investigates transport accidents and issues safety recommendations aimed at preventing future disasters. 

There are, however, massive differences between how NTSB accident investigations flow through to action in the transportation sector and how recommendations from the CSRB are converted into action.

In a recent Boeing 737 incident, for example, NTSB discoveries resulted in the Federal Aviation Administration grounding aircraft and ordering operators to inspect specific bolts. The problem is discrete, there are a relatively small number of stakeholders and regulators have authorities that ensure compliance.

None of that exists in the cyber security space. The problems are broad, there are usually large numbers of stakeholders and regulators have limited clout. 

In our view, without the private sector involvement, a newly constructed independent government body simply wouldn't get the traction it needs to make a dent in the cyber security problems that currently exist. The CSRB really needs a lot of credibility and reach to have any kind of impact in the current environment. 

In an interview with Patrick Gray and Adam Boileau on this week's edition of the Risky Business podcast, CSRB Chair Rob Silvers said the board's composition "gives the board a lot of credibility to drive change". 

"And when those people come together and speak as to what needs to happen out there, what CISOs need to do, what network defenders need to do, what regulators need to do, what legislatures need to do, that speaks with incredible force and cannot be replicated by a government only enterprise," he continued.

Given that, other issues that critics raise such as potential conflicts of interests, recusal processes and the careful application of subpoena powers need to be managed. Silvers discusses how these processes are either already in place or have been thought through in potential legislation. They are also examined here in Politico.

Three Reasons to Be Cheerful This Week:

1. iPhone Stolen Device Protection: Apple rolled out what it is calling 'Stolen Device Protection' in its iOS 17.3 release this week. It's a measure that adds extra protections to help stop thieves from capturing the entirety of your digital life if they steal your phone and learn your passcode. This will occur to only a minority of people, but it is good that Apple is still improving protections for what could be considered edge cases.    

2. CISA's ransomware warnings: In its 2023 Year in Review CISA says it issued 1,200 'pre-ransomware' warnings that alert organisations of early-stage ransomware activity on their networks. This potentially enables the affected organisation to head off a full-on ransomware attack. More coverage at Cybersecurity Dive.

3. Second FTC geolocation data broker win: The Federal Trade Commission announced its second settlement with a geolocation data broker this week. As with its win last week, the FTC's complaint relies on the data broker, InMarket, not properly getting informed consent from consumers.  

Sponsor Section

In this Risky Business News sponsor interview, Tom Uren talks to Ivan Dwyer of Material Security about how it makes sense to view office productivity suites as an organisation's critical infrastructure.

Shorts

Using Facial Recognition on Faces Predicted from DNA is a Disaster

This Wired article recounts one police department's attempt to use facial recognition technology on a virtual face as imagined from DNA information collected at a crime scene.

This newsletter supports use of facial recognition technology when it makes sense and with appropriate checks and balances. But this is disastrous. 

UK Post Office’s Tragic Horizon Failure

This Ars Technica article covers the tragic tale of bugs in the Horizon software system that was installed in UK post offices from 1999 to 2015. These bugs resulted in faulty accounts that were then used to justify the prosecution and conviction of more than 900 UK Post Office employees. 

Stablecoins the Sanction Evasion Crypto of Choice

Blockchain analysis company Chainalysis has found that stablecoins, cryptocurrencies pegged to something stable like the US dollar, are the vehicle of choice for crypto scammers and entities trying to avoid sanctions.

Makes sense. Why add currency valuation risk to your problems when you are just trying to make a dishonest living?

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about data brokers and how having so much data available about Americans feels creepy, yet there is little visible harm to individuals. But there are still reasons to be worried.

From Risky Biz News:

CISA Director swatted: CISA Director Jen Easterly was the target of a swatting attempt, according to a report from The Record, citing sources inside CISA. The attacker claimed gunfire was heard from Easterly's house on the night of December 30, last year. The CISA official was unharmed after Arlington County Police arrived on scene and determined no shooting had occurred. The incident comes as a large number of US officials have been swatted over the past weeks, with two incidents targeting the White House itself.

GVSU hack: A Ukrainian hacker group named BlackJack has breached and wiped more than 150 systems belonging to the Main Military Construction Directorate for Special Facilities (GVSU), a state-owned company that builds military facilities for the Russian military. The group claims it also downloaded more than 1.2TB of information from the company's servers containing information on more than 500 military objectives. The BlackJack group has been informally linked to the Security Service of Ukraine. Ukraine's Main Directorate of Intelligence, or GUR, praised the attack on Telegram as a major success. [Additional coverage in UkrInform/English coverage in BusinessInsider]

UNC3886: Google's Mandiant division says that a VMWare vulnerability patched in October of last year was secretly exploited in the wild by Chinese hackers since late 2021. Mandiant linked the attacks to a group it tracks as UNC3886. The group has a long history of going after devices that cannot run EDR security products, allowing their attacks to go undetected for longer. When it patched the vulnerability (CVE-2023-34048) in October, VMWare wasn't aware of active exploitation but released patches even for end-of-life devices.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Not only are cyber espionage groups likely based in China using living-off-the-land techniques to operate stealthily, they are adopting techniques that make post-discovery eviction more difficult. 

Two separate campaigns reported in recent weeks illustrate the different techniques actors believed to be associated with the PRC are using. In one campaign, a group that had been operating slowly and discreetly switched to large-scale device exploitation and used various persistence mechanisms to 'dig in' once it was discovered. 

In the second campaign, the actor concerned used compromised end-of-life devices in a botnet to relay command and control communications. 

The first campaign appears to have kicked off in early December last year, and targets Ivanti Connect Secure VPN devices. Cyber security firm Volexity reported details of this campaign, including the two 0days used, on 10 January. 

Volexity appears to have become aware of the campaign from its very beginning. The firm discovered suspicious activity on a customer's network and was able to trace it back to Ivanti's internet-facing VPN appliance. 

Volexity was able to determine that two 0days (an authentication bypass and command injection vulnerability) were used in concert to compromise the device to get network access. 

Hackers then used this access to deploy a webshell and keylogger, gather credentials and ultimately pivot into the internal network. Volexity wrote in its report that it "has reason to believe that UTA0178 (Ed: its name for the group responsible) is a Chinese nation-state-level threat actor", but did not expand on these reasons. 

Mandiant also reported on the activity and described the group responsible as a "suspected espionage threat actor", but did not assign the activity to any particular state. 

Both reports note that the group used compromised out-of-support Cyberoam VPN devices to proxy communications. Targeting end-of-life devices is also a feature of the second campaign we discuss.

Ivanti published a mitigation on the same day Volexity released its report. By the day of publication, Volexity and Ivanti had found only a single compromised organisation.

However, the day after publication, on 11 January, what Volexity describes as "widespread exploitation" kicked off. Much of this activity occurred quite quickly after publication and used essentially the same webshell as was deployed in the first hack Volexity detected, indicating the same actor was probably at work.

The company says that "appliances appear to have been indiscriminately targeted, with victims all over the world" and that by 14 January, 1,700 Connect Secure devices had been compromised. It appears other threat actors also attempted to exploit Connect Secure devices, but it is not clear whether their efforts were related to the initial group’s actions. 

We have seen Chinese actors accelerate operations after they have been pinged before. In June last year, a PRC espionage group rapidly deployed different persistence mechanisms at scale after its campaign exploiting Barracuda Email Security Gateways was detected and publicised. This 'digging in' was so extensive that Barracuda could not guarantee the affected gateways could be made secure again and recommended they be fully replaced.

Another report, released last week by SecurityScorecard's STRIKE team, says that a botnet used by China's Volt Typhoon group now controls about 30% of all the visible Cisco RV320 and RV325 WAN routers across the internet. 

Volt Typhoon is a genuinely worrying group because it appears to be "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises", according to a Microsoft report.

The hacked Cisco routers are incorporated into what Black Lotus Labs at Lumen Technologies calls the 'KV-botnet', a botnet made up of compromised small office/home office routers.

This botnet is made up of two 'clusters'. One cluster, called the "JDY cluster" by Black Lotus Labs, is used for target scanning. Targets identified by JDY are then passed to the "KV cluster", which "appears to be reserved for manual operations against higher value targets".

The JDY or scanning portion of the network is made up exclusively of Cisco RV320 and RV325 routers, whereas the composition of the KV portion varies and has over time included Cisco RV320s, DrayTek Vigor routers, NETGEAR ProSAFEs and Axis IP cameras. 

Except for the Axis IP cameras, all these devices are end-of-life and manufacturers have absolved themself of responsibility for security patching.

Targeting end-of-life devices for these botnets just makes sense. Manufacturers have already washed their hands of responsibility, so are not likely to issue patches without some sort of public pressure. And how would an owner know if their device had been assimilated into a Chinese spy botnet anyway?

There have been several US government efforts to take down botnets used by foreign cyber espionage actors, notably Russian botnets such as VPNfilter, Cyclops Blink and Snake. However, these kinds of operations take a huge amount of time and effort and are also sometimes constrained in scope because of jurisdictional issues. We can't help wondering if prevention would be better than cure. 

Targeting of EOL devices highlights deficiencies in patching obligations

One theme of the US cyber security strategy is shifting the costs of poor product security back on the companies that sold those products in the first place. We think it is time to look at how long companies should be required to provide software patches to mitigate security issues. 

No doubt it is painful for companies to issue security updates and patches for old products. We can understand why companies would like to turn a blind eye and wash their hands of them. But who then becomes responsible for vulnerabilities in these products? And should it be up to governments to effectively subsidise these manufacturers by applying band aid solutions once they become a national security problem? 

And a reminder that compromised devices aren't 'just' used to steal information — as mentioned earlier, there is deep concern that Volt Typhoon is preparing disruptive capabilities for use in a military conflict with the US.  

FTC Geolocation Win Masks Shaky Legal Foundations

Last week the Federal Trade Commission (FTC) announced its first ever settlement with a data broker over the sale of sensitive location data.

That the FTC has pursued this action is great as the US needs far more rigorous data privacy standards. But the basis for the settlement is pretty thin and underscores the terrible state of American privacy law.

In its original complaint from 2022, (when the data broker concerned, Outlogic, was known as X-Mode), the commission said X-Mode sold "raw location data tied to unique persistent identifiers" and advertised that its location data "is 70% accurate within 20 meters or less".

Fine-grained geolocation data linked to a persistent identifier is, from a surveillance and intelligence perspective, wonderful! Combined with offline information available about people, this data is essentially all someone needs to figure out who people are and where they go (we covered a real-world example of use of this data involving a Catholic priest back in 2021).

The complaint continues:

X-Mode does not restrict the collection of location data from sensitive locations such as healthcare facilities, churches, and schools. X-Mode contractually restricts how its customers may use location data. For example, one such restriction is that its customers cannot: 

use X-Mode Data (alone or combined with other data) to associate any user, device or individual with any venue that is related to healthcare, addiction, pregnancy or pregnancy termination, or sexual orientation, or to otherwise infer an interest or characteristic related to any of the foregoing;

So… X-Mode's made its customers pinky promise not to do anything bad. The FTC didn't think that was sufficient.  

X-Mode mostly obtained location data through third-party apps that incorporated its Software Development Kit (SDK). The developers of these third-party apps were paid to facilitate X-Mode's data collection and its SDK was incorporated into over 300 apps including games, fitness trackers and religious apps.

Brandon Pugh, Cybersecurity Director at the R Street Institute, told Seriously Risky Business, that the FTC "is no stranger to taking action directed at data brokers" and "it's clear that the FTC hopes this will be a signal to data brokers". 

He thought, however, that it would be better if Congress passed comprehensive federal data privacy and security laws. 

"That would allow Congress to take the lead on privacy policy instead of a federal agency acting by way of ad hoc actions or expansive rulemaking", he said.

The strongest part of the FTC's complaint is that X-Mode did not properly tell mobile device users how their data would be used, did not honour consumer's privacy choices and did not get informed consent from users of these third-party apps. That's pretty cut and dried.

The logical response from other companies in this segment is to list how geolocation data is collected and used in the terms and conditions of apps that act as data sources. That would greatly reduce the sting of any possible FTC action. (This Wired article examines the Outlogic settlement and the ineffectiveness of terms and conditions in more detail).

The geolocation data of an entire nation just shouldn't be for sale. The FTC is trying to fix this problem, but it would be much better if its actions were supported by reasonable laws. 

Three Reasons to Be Cheerful This Week:

1. More disruption operations on the way: A Department of Justice official has told attendees at an international cyber security conference that he expects more US government cyber threat disruption operations in 2024. That is the right approach and we look forward to hearing about them over the coming year.

2. Removing barriers for cyber hires: The US government is working to remove the requirement for four-year degrees for some federal cyber security contracting jobs.  

3. Positive scorecard for US cyber diplomats: The US Government Accountability Office has reviewed the State Department's new Bureau of Cyberspace and Digital Policy and on the whole, given it a passing grade. NextGov has further coverage. 

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Ken Westin, Field CISO at Panther about how the rise of cloud and hybrid IT architectures requires a new type of SIEM.

A short demo on how to use Panther's Detections-as-Code (DaC) platform for cryptominer investigations.

Shorts

Insurers Settle in Merck NotPetya Case

Pharmaceutical giant Merck reached a settlement with its insurance providers in a case over USD$1.4bn in claims stemming from the 2017 NotPetya attack. In this attack a Russian military intelligence unit launched a wiper attack on Ukrainian firms that propagated globally. Merck's insurers were trying to avoid making payments, claiming NotPetya fell under the insurance policy's war exclusions. 

The settlement is not public, but it means that the previous appeals court opinion in favour of Merck still stands. 

The Varying Impact of Takedowns

Threat intelligence firm Recorded Future compares three different takedowns in its recently released 2023 Adversary Infrastructure Report. Action against the Emotet and Qakbot botnets have been relatively effective, although in both cases the criminals behind the botnets appear to have moved on to other efforts such as propagating different types of malware. A takedown of unlicensed Cobalt Strike servers, by contrast, didn't have much impact at all. (Cobalt Strike is a legitimate security testing command and control tool that is popular amongst cyber criminals and state actors).  

Subscribe now

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the legacy of Stuxnet, how it was an 'inevitable gamechanger' and how much the Dutch government knew (or should have known) at the time. 

From Risky Biz News:

eBay fined in 2019 harassment case: eBay has agreed to pay a $3 million fine to settle a DOJ lawsuit accusing the company of orchestrating a harassment and intimidation campaign. The company admitted that its security team harassed a US couple who ran a newsletter that negatively reviewed eBay products. eBay's former Senior Director of Safety and Security and six members of the company's security team posted negative comments on the newsletter's articles and a bunch of way way waaaaaaay more creepy stuff—see below.

The campaign included sending anonymous and disturbing deliveries to the victims' home, including a book on surviving the death of a spouse, a bloody pig mask, a fetal pig and a funeral wreath and live insects; sending private Twitter messages and public tweets criticizing the newsletter’s content and threatening to visit the victims in Natick; and traveling to Natick to surveil the victims and install a GPS tracking device on their car. The harassment also featured Craigslist posts inviting the public for sexual encounters at the victims' home.

Sandworm: Forescout has a deep dive [PDF] into the Sandworm attacks against Denmark's critical sector that were spotted last year by local authorities. The surprising main conclusion is below.

Evidence suggests that the two waves of attacks on Danish infrastructure reported by SektorCERT were unrelated. It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor.

Cybercrime crew infects 172,000 smart TVs and set-top boxes: A cybercrime operation is believed to have infected at least 172,000 smart TVs and set-top boxes with malware that carries out DDoS attacks.

Named Bigpanzi, the group has been active since at least 2015 and appears to target Spanish and Portuguese-speaking users across Latin America.

According to Chinese security firm QiAnXin, Bigpanzi built its botnet through social-engineering tactics, such as spreading apps to view pirated content, apps to enhance TV viewing experiences, and backdoored firmware updates.

Once installed, the apps and firmware updates would ensnare infected devices into the Bigpanzi botnet and carry out attacks at the operator's behest.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Russia's cyber activities in the Ukraine conflict are increasingly smart, but the country’s cyber leaders apparently still can't resist destructive operations that are flashy, but ultimately counterproductive. 

In the smart category, Russia has compromised internet-connected webcams in Ukraine to conduct remote surveillance. On January 2, Ukraine's security service, the SBU, issued a public warning that Russian intelligence services were hacking these devices for espionage purposes. The SBU provided examples of two particular devices that were compromised to redirect viewing angles to show more of the environment, with the footage streamed to YouTube. The SBU believed this surveillance video was used to provide information on targets for long-range strikes, and for damage assessment. 

At first glance this type of cyber operation appears modest, as it is not technically sophisticated, the direct impact is low, and the report only mentions two cameras. 

It turns out, however, that many of the video surveillance cameras sold in Ukraine prior to the war were managed with a system known as Trassir, that had been developed by a Russian company. Trassir software was used by individuals and enterprises and was even installed at critical infrastructure facilities such as the Chernobyl nuclear power plant. Worse yet, the video feeds from these cameras were routed via Russian servers.

So although the SBU mentioned just two cameras in this case, Russian efforts to compromise cameras could be very widespread. Early in 2022 the SBU blocked a large number of Russian IP addresses, including those of Trassir servers. Presumably, this explains why the hacked devices the SBU reported on were altered to stream video via YouTube rather than directly to a Russia-based IP address. In this month’s announcement, the SBU said it had stopped the operation of 10,000 IP cameras since the start of the invasion and appealed for Ukrainian citizens to report online camera streams to its official chatbot.

Hijacking surveillance cameras to provide targeting support is also a fairly sensible use of cyber operations, because it complements conventional military capabilities with the intent of making them more effective. It's quiet, but potentially deadly.

By contrast, a December 12 attack on Kyivstar, Ukraine's largest mobile operator, is the stuff of cyberwar fantasies. However, the attack feels like a squandered opportunity as Russia does not appear to have taken significant advantage of it.

The Kyivstar attack left over half of Ukraine's population without mobile and home internet services for two days. It also disrupted some banks and ATM services, point-of-sale terminals and air-raid sirens.

Illia Vitiuk, the SBU's cyber security chief, told Reuters this was a long-term operation and that the hackers had been in Kyivstar's networks since at least May 2023. Vitiuk said they  had probably had "full access" since at least November.

He described the attack as wiping "almost everything" including thousands of virtual servers and said it "completely destroyed the core of a telecoms operator".

Despite what sounds like pretty comprehensive destruction, the disruption was relatively short-lived. Kyivstar services were back up within a matter of days and the company's CEO said services were fully restored just eight days after the attack. 

The attack was not combined with any other significant Russian military action, such as a major drone or missile attack. And, according to Ukrainian government sources, there was relatively little impact on Ukrainian military communications.

When it comes to assessing the impact of this attack, timing is everything. If this type of attack had been executed in February 2022, at the beginning of Russia's invasion and combined with Russia's attack on Viasat's KA-SAT satellite service, it could have measurably improved the chances of Russian military success. 

In December 2023, however, we think this attack is actually a net negative for Russia's military prospects, because maintaining enduring access into Kyivstar would have been tremendously valuable. Vitiuk told Reuters the SBU assessed:

…the hackers would have been able to steal personal information, understand the locations of phones, intercept SMS-messages and perhaps steal Telegram accounts with the level of access they gained.

These capabilities would have been an intelligence goldmine that could have enabled many more impactful military actions over the longer term. 

Destroying Kyivstar results in a short-term sugar rush, but pretty much guaranteed that the Russians lost access. This cuts against the trend in Russian operations towards intelligence gathering that we wrote about last September, so we are left wondering what the motivation for this particular operation was. 

The SBU's Vitiuk attributed the attack to Russia's Sandworm group (the GRU, Russian military intelligence) and regarding the timing of the operation said "maybe some colonel wanted to become a general". We don't have a better explanation. 

Subscribe now

Predatory Sparrow Won't Move the Needle in the Middle East

Israel is trying to use cyber operations to warn off regional foes, but the current conflict is just too hot for this strategy to work. 

In mid-December, Predatory Sparrow, a purported hacktivist group believed to be a persona of the Israeli military, disrupted petrol supply systems in Iran. In a statement on Telegram, the group claimed to have disrupted "a majority of the gas pumps throughout Iran… in response to the aggression of the Islamic Republic and its proxies in the region".

Although we don't know yet if the technical details are the same, this appears to be a repeat of an October 2021 attack that Predatory Sparrow launched against Iran's fuel subsidy system. In that attack, petrol stations shut down because they were unable to charge customers for fuel.

As in that attack, Predatory Sparrow took steps to show that it was operating responsibly. In a recent Telegram statement it wrote:

As in our previous operations, this cyberattack was conducted in a controlled manner while taking measures to limit potential damage to emergency services.

We delivered warnings to emergency services across the country before the operation began, and ensured a portion of the gas stations across the country were left unharmed for the same reason, despite our access and capability to completely disrupt their operation.

In this case, the operation is all about sending a message to Iranian leadership. In its Telegram posts, Predatory Sparrow directly warned Iran's supreme leader, saying "Khamenei, playing with fire has a price" and a few days later said "Khamenei! Playing with proxies a girl can get burned".

Previous Predatory Sparrow attacks took place in the context of a series of tit-for-tat destructive operations between Iran and Israel that appear to have been kickstarted by an Iranian cyber attack on Israeli water infrastructure. At the time, we wrote:

Following reports of cyber attacks against Israeli water infrastructure in 2020, a suspiciously large number of things have caught fire or gone boom in Iran since, including the Natanz uranium enrichment facility, a missile production facility, an oil pipeline, a shipyard in the Iranian port of Bushehr, Iran's largest warship, and an oil refinery. 

Other less physically destructive incidents have involved cyber attacks on the port of Bandar Abbas and a wiper attack on Iran's national rail system. Some of these incidents could be the result of deliberate state-backed actions; others may simply be accidents. 

This one wasn't an accident, though: In November last year, Iran's top nuclear scientist was assassinated with a self-destructing remotely-controlled machine-gun. 

At one level, using precisely executed cyber operations to send a warning is clearly better than using operations that cause a lot of collateral damage and therefore escalate conflict.

Having said that, however, we are not sure that signalling via cyber operations has actually worked for Predatory Sparrow. Its previous petrol station hack occurred in October 2021 and by June 2022 it was carrying out spectacular destructive attacks on three Iranian steel mills. If its signalling had worked, would it have needed to carry out further operations?

The geopolitical situation is also vastly different today. Israel is involved in a war against Hamas, Israel and Hezbollah are exchanging strikes back and forth across Lebanon, and Iranian-backed Houthi rebels are attacking cargo ships in the Red Sea. There's genuine diplomatic concern that the Israel-Hamas war could expand to encompass Hezbollah in Lebanon. 

Given the situation, will the repeat of a two-year-old fuel supply disruption operation move the needle at all? We don't think so. 

Three Reasons to Be Cheerful This Week:

1. ALPHV Disruption: In mid-December the US Department of Justice announced that it had disrupted the ALPHV (aka BlackCat) ransomware gang, which it described as the second most prolific ransomware-as-a-service brand. The DoJ also revealed the FBI had developed a decryption tool that it had offered to 500 affected victims. That's the good news, but the weird addendum is that although the FBI was able to get credentials for the site it wasn't able to prevent ALPHV from 'unseizing' it. This 'tug of tor' is well described at Ars Technica.  

2. Scam city seized by Myanmar rebels: A city that is a hub for online scams known as 'pig butchering' has been ceded by Myanmar's military government to rebel forces that claim to be focused on cleaning up scam centres. The change in control ultimately seems to be driven by the PRC's frustration with the pig butchering epidemic that has affected thousands of Chinese nationals. This ABC report has good coverage of the broader issues. 

3. More cyber-focussed FBI agents overseas: The FBI told CyberScoop that it is increasing the number of cyber-focussed FBI assistant legal attachés at American embassies overseas by six people to 22. Given the international nature of cybercrime, we are actually surprised that there are so few.

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Chris St Myers, Stairwell’s head of threat research, about managing the risk from software you absolutely must use.

Shorts

Russia Hates Democrats, China Loves China

Last edition we talked about the inevitability of election interference. Since then, both the US and the UK governments have released reports describing attempted interference. The Taiwanese government has also committed to releasing a report on PRC interference after its election is completed on January 13.

The report from the US intelligence community, assesses that Russian interference is mostly about denigrating the Democratic Party, PRC interference is about promoting pro-China interests without favouring any particular party, and a number of other foreign parties interfere more narrowly. It expects interference to peak during Presidential election years and the report says:

The involvement of more foreign actors probably reflects shifting geopolitical risk calculus, perceptions that election influence activity has been normalised, the low cost but potentially high reward of such activities, and a greater emphasis on election security in IC collection and analysis.

Extradition Tug-of-War Ends Up with Russian Victory

Russian cyber security executive Nikita Kislitsin, who was the subject of an extradition tug-of-war between the US and Russia after his arrest in Kazakhstan, will ultimately end up in Russia. 

We examined this case in July last year when we looked at the underlying drivers behind these diplomatic contests that occur whenever a Russian citizen is arrested internationally on cybercrime charges. 

SEC Twitter Hack Moves Bitcoin

On Tuesday the @SECGov X (formerly Twitter) account was hacked and used to release a message stating that the commission had granted approval for a Bitcoin exchange-traded fund (ETF). This briefly moved the market for Bitcoin from $46,700 to $48,000 before the false tweet was exposed.

On Wednesday, however, the SEC really did approve  Bitcoin ETFs. Rather than a clever hack to make money by manipulating markets, the hacker appears to have just posted a draft tweet.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk with infosec and anti-virus veteran Martijn Grooten about how the infosec industry has changed over the years.

From Risky Biz News:

Turkish APT group Sea Turtle returns: Hackers associated with the Turkish government are conducting new cyber-espionage operations across Europe and the Middle East, according to recent reports from PwC, StrikeReady, and Hunt & Hackett.

Tracked as Sea Turtle (Teal Kurma, Silicon, UNC1326, Cosmic Wolf), the group rose to fame between 2018 and 2020 when it conducted a series of DNS hijacking campaigns that intercepted traffic for Cypriot, Greek, and Iraqi government systems.

Ever since its public ousting in late 2020, the group wound down its DNS hijacking infrastructure, and very little activity has been linked to its operations. In recent reports, the three security firms claim the group has now re-tooled and changed its modus operandi, although some connections to its old infrastructure remained.

[more on Risky Business News]

Ransomware wrecks Paraguay's largest telco: A ransomware attack has wreaked havoc inside the network of Tigo, the largest mobile operator and internet service provider in Paraguay.

The incident took place last Thursday, January 4, and impacted the telco's business branch.

Around 300 servers in Tigo's data centre were encrypted, according to Miguel Ángel Gaspar, director of the Paraguay Ciberseguro Foundation.

At least 300 companies were impacted downstream. The companies lost phone service and files hosted on Tigo servers.

[more on Risky Business News]

Ukraine repels attack on state payment system: Ukraine says it repelled Russian cyberattacks against its state payment system for the second week in a row. Officials say Russian hackers tried to destroy vital systems used for budget payments. The operation comes after Russian hackers successfully wiped servers inside Kyivstar, the country's largest mobile operator.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. This is the last edition for 2023 and we will be back in early January. Stay safe out there!

Interference-Free Elections? How Quaint!

There are three major elections taking place in 2024: in Taiwan, the United States and Russia. So, what are the chances that we'll see cyber-enabled disruption campaigns targeting each of these polls? In the case of the upcoming US election it seems inevitable.

Election interference techniques take many forms. At the 'lowest' level are information operations on social media that spread disinformation and propaganda. In the context of an election, these types of operations tend to get lost in the noise.

At the 'highest' level of severity there is the possibility of direct interference in the electoral process: messing with the actual votes. In theory, this could shape the outcome of an election, and even unsuccessful attempts undermine the perceived legitimacy of election outcomes.

Somewhere in the middle are tactics such as hack and leak operations that were used by Russia in the 2016 US Presidential election. These had an impact on that election because they were picked up and amplified by the mainstream media.

The Taiwanese presidential election is scheduled for 13 January and the PRC, with its opposition to Taiwanese independence, obviously has a strong interest in how Taiwan is governed. This may motivate the PRC to interfere on behalf of the opposition Kuomintang (KMT) party, which favours closer ties to Beijing than the incumbent pro-independence Democratic Progressive Party. 

If the PRC undertakes cyber-enabled interference, it is likely to complement measures that include 'friendship tours' (a recent Reuters report, describes a Chinese effort to engage hundreds of Taiwanese politicians with subsidised trips to the mainland), economic coercion and even threats of military action. A spokesperson for the PRC’s Taiwan affairs authority, for example, recently described the upcoming election as "a choice between peace and war". In this context, cyber-enabled interference is just one of many concerns for Taiwan. 

The US Presidential election is a different can of worms. Neither the PRC nor Russia are in a position economically or militarily to undertake the kind of no-holds-barred interference the PRC may opt for against Taiwan. Because these other options aren't available cyber-enabled interference is likely to become the tool of choice.

Gavin Wilde, a Russia and information warfare expert at the Carnegie Endowment, told Seriously Risky Business he thought cyber-enabled interference in the 2024 US election was "inevitable". He said Russia would view that kind of interference "less as transgressing a norm than as rigid adherence to one".

Wilde stated that although electoral system manipulation would be very difficult to pull off successfully in the US due to the highly federated nature of its elections, the potential negative impact on the public's confidence in election outcomes resulting from this type of interference -- be it attempted or successful -- was very high. He said this threat required an "all hands on deck" approach from national and election security officials. 

Wilde also considered hack and leak and online influence operations to be "almost a certainty". Here, he thought solutions lay not so much in foreign and security policy but instead needed to be more domestically focused. These types of operations were sometimes a "convenient distraction from conversations we need to have about the responsibility of journalists, the role of opaque money in politics, the quality of our elites, the responsiveness of government to the concerns of ordinary citizens, etc".

Wilde also mentioned Executive Order 13848, a Trump-era directive that attempted to define ahead of time how the administration would respond to specific threats against election integrity. If clear thresholds were set out beforehand, government officials might be better equipped to respond to interference. 

If those triggers are not pre-established, officials face the unenviable task of responding to cyber-enabled interference during the heat of an election campaign.

In the 2016 US presidential election, for example, the Obama administration was aware of Russian efforts to influence the election in favour of Trump but did not call them out publicly. At the time, President Obama said publicising Russia's efforts would have created "just one more political scrum" and would "raise more questions about the integrity of the election".

What about tit-for-tat American interference in next year's Russian election? Wilde doesn't think it makes any sense.

"In addition to being extremely provocative, escalatory, and hypocritical — any attempt to meddle in their sham electoral process is fruitless any way you slice it. Putin isn't a candidate at this point. He's a system. Neither information ops nor hacks can alter such a resilient system." 

Subscribe now

Iran Attacks Our Precious Fluids

Attacks on US water infrastructure by Iranian hackers are, ahem, making waves. 

Risky Business News reports:

The US government has confirmed that an Iranian hacking group named Cyber Av3ngers has gained access to equipment at water facilities across multiple US states. CISA, the FBI, the NSA, and other agencies say the attacks began as far back as November 22 and exploited PLCs (programmable logic controllers) manufactured by Israeli company Unitronics. The group targeted Unitronics PLCs that were still using the default password "1111". CISA asked US organisations last week to change the default password, enable MFA, and remove the devices from the internet. US officials say the Cyber Av3ngers group is affiliated with the IRGC, an Iranian military and intelligence organisation.

This campaign appears to have been launched in reaction to the Israel-Hamas conflict. CISA's advisory states the hackers left a defacement image on the devices that says "You have been hacked, down with Israel. Every equipment 'made in Israel' is CyberAv3ngers legal target."

As of 1 December, according to reporting from CNN, CISA believed that "less than 10" water facilities across the country had been affected by these attacks. 

Fortunately, these incidents have been annoying rather than disastrous. The general manager of one of the water utilities affected, Robert J. Bible, told CNN that water quality was not at risk but the hack meant the utility had to manually control water pumps. He described the incident as "a pain" and "a big inconvenience". 

"Somebody's got to wake up at 3 in the morning and go turn on or turn off those pump stations," he said.

Bible runs a water authority that serves around 15,000 people near Pittsburgh, and he said that being caught up in politically-motivated attacks "was maybe the furthest thing from my mind".

The outcomes could have been far worse. CISA writes that the water and wastewater sector uses PLCs in many different scenarios: 

…to control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations

Unitronics devices are also used in other industries, including energy, food and beverage manufacturing, and healthcare. A brewery was also affected by the Cyber Av3ngers hacking.

The incident underscores the vulnerability of the US water sector and some of the reasons  will be difficult to quickly improve security. The sector is highly decentralised with over 50,000 'community water systems' providing tap water to Americans. Most of these systems provide water to small communities of 10,000 people or less. 

There is an argument here that a robust response is needed to try to deter hackers from meddling with US critical infrastructure. In this case, however, the hacking is akin to digital graffiti and is not reported to have had any serious impacts. 

A proportionate response to an irritating cyber attack would be… just irritating and probably not much of a deterrent. And why mount a disproportionately robust response to a low-impact hack when there are plenty of other damaging incidents whose perpetrators really do deserve their own slice of deterrence pie? In just the last few weeks ransomware incidents have caused serious disruptions in hospitals, credit unions, banks and in a separate water utility incident. 

ChatGPT 'Just Asking Questions'

The Institute for Strategic Dialogue, a non-profit organisation that counters extremism and polarisation, has discovered a ChatGPT-enabled social media harassment campaign on X (formerly Twitter).

Although the ChatGPT content appeared authentic at first glance, one reply in the campaign was a giveaway: "I cannot fulfil this request as it goes against OpenAI’s use case policy by promoting hate speech or targeted harassment".

The campaign targeted imprisoned Russian opposition figure Alexey Navalny and his non-profit Anti-Corruption Foundation. Regarding the quality of ChatGPT-generated content, ISD writes:

The ChatGPT content, overall, is very good. It has some quirks and some oddities – weird metaphors, unwieldy hashtags, a predilection for melodrama, a peculiar fixation on food. Seen as a whole, the corpus of content does feel oddly robotic. When you already know to look for signs of AI use, there are reasons to be suspicious.

However, ISD finds that when viewed in isolation, the ChatGPT-generated tweets are  "strikingly authentic-looking".  It also finds, that in some respects, ChatGPT is surprisingly capable:

In particular, it is impressively and somewhat surprisingly proficient at presenting a message through inference and implication – the "just asking questions" strategy so commonly used by conspiracy theorists, extremists and disinformation actors alike. This is a more subtle approach than some more direct methods of spreading distrust and it might have been expected that the AI might struggle with it, but this does not appear to be the case.

In this case, the operators were sloppy so the campaign was detectable, but ISD thinks that AI-generated campaigns will not be discoverable by standard researcher tradecraft, such as looking for posts or phrases copy-pasted across a network of linked accounts. 

The report doesn't hazard a guess as to whether the use of ChatGPT will increase the effectiveness of these kinds of campaigns. It does suggest, however, that generative AI campaigns will be used against real people and movements expressing genuine opinions online, and therefore deepen polarisation and increase distrust on social media. So even if they don't work, they'll still be bad news.

Three Reasons to Be Cheerful This Week:

1. Better, faster and cheaper spam detection: Google has announced improved text classification technology that it says is "highly effective for security and anti-abuse applications." It improves the spam detection rate by 38%, while reducing false positives and using less computing resources.

2. UK's Online Fraud Charter is a start: The UK government and 12 large tech companies have signed a voluntary 'Online Fraud Charter'. Signatories include Amazon, eBay, Facebook, Google, Instagram, LinkedIn, the Match Group, Microsoft, Snapchat, TikTok, Twitter, and YouTube. We are cynical about 'voluntary commitments', but fully implementing the ideas in the charter would make a difference. It's a start. 

3. Fewer US clandestine info ops: Military information operations using clandestine accounts (i.e. not attributable to the US military) now require the approval of senior Pentagon officials, the CIA and the State Department, and the number of these operations has been drastically reduced. We class this as good news because these operations don't seem to have been all that effective — researchers who examined previous US military clandestine operations found that overt accounts attracted more followers — and when these types of operations were unmasked they eroded the credibility of the US abroad. In other words, most of the time they are just not worth it. 

Shorts

US Gov Squeeeeezes Cryptocurrency Laundering  

The Sinbad cryptocurrency mixer was sanctioned and its websites seized last week by the US government. The US Treasury said that Sinbad was a "key money-laundering tool" for North Korean hackers involved in cryptocurrency theft.

The US government has also negotiated very strict reporting requirements with cryptocurrency exchange Binance, which recently pleaded guilty to money laundering and sanctions violations in late November and was fined USD$4.3bn. These requirements include historical transactions going back as far as 2018, and a former US SEC attorney told Wired these were the equivalent of a "financial colonoscopy". 

A few days after the Sinbad takedown, the State Department's Rewards for Justice program issued a reward for information about North Korean hackers using cryptocurrency mixers.

A Recorded Future report on North Korea's cryptocurrency endeavours was also released last week. The report found that, since 2017, the country's hackers have stolen USD$3bn worth of cryptocurrency. USD$1.7bn of this was in 2022, "a sum equivalent to approximately 5% of North Korea’s economy or 45% of its military", according to the report.

CISA: We Can't Patch Fast Enough

Senior CISA official Eric Goldstein has described the current infosec paradigm of "patch faster, fix faster" as a "failed model".

He's got a point. In just this week alone there are media reports of: Russian state-sponsored actors actively exploiting an Outlook flaw patched in March this year; Citrix Netscaler vulnerabilities being used in ransomware attacks despite a patch being issued in October; and CISA warned of exploitation of an Adobe ColdFusion bug that was patched in March.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq revisit Ukraine's IT Army and examine how the country's government has been making use of the hacktivist force. 

From Risky Biz News:

Black Basta group made $107 million from ransom payments

The Black Basta ransomware gang is believed to have made more than $107 million in ransom payments since the group began operations in early 2022.

The number represents payments made by more than 90 victims of the 329 organisations known to have been hit by the gang.

The largest payment was $9 million, while the average ransom payment was $1.2 million, according to joint research published by blockchain tracking company Elliptic and cyber insurance provider Corvus Insurance.

[more on Risky Business News, including how this puts Black Basta amongst the highest-earning ransomware groups over the last few years.]

US government agencies lag on logging compliance: An audit of 23 of the largest US federal agencies found that most have failed to implement proper event logging and may be unprepared to respond to cybersecurity incidents, especially during the investigation and remediation phase.

Conducted by the US Government and Accountability Office, the report found that 20 of the 23 agencies did not meet a White House executive order mandating they reach a logging level of EL3 by August 2023.

GAO says that only three agencies reached the proper requirement, while 17 were still at EL0 and had not made any headway toward compliance.

[more on Risky Business News]

Plex privacy disaster: Plex media server users are receiving "week in review" reports with what their friends have been watching on their devices. The reports have stirred quite a controversy, as it exposes some users' porn preferences. [Additional coverage in 404 Media]

Reuters Article Removal

Reuters has issued an editors' note announcing what it describes as the temporary removal of an article 'how an Indian startup hacked the world', to comply with a preliminary court order issued on 4 December in a district court in India. The news agency said it stood by its reporting and planned to appeal the decision.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Cyber security firm Huntress has confirmed what organisations like the NSA have been saying — that 'living off the land' is the new normal. 

We've covered the shift towards living off the land techniques (abusing legitimate tools already present in the host environment) by both Russian and Chinese APT actors. A new Huntress report focused on threats to small and medium-sized businesses (SMBs) found more than half of incidents involved LOLbins (living off the land binaries) and were "malware free".

One type of legitimate software that is commonly abused by threat actors to gain and maintain access to targeted environments is remote monitoring and management (RMM) software. Huntress found that 65% of all types of SMB security incidents involved RMM software such as ConnectWise, ScreenConnect, AnyDesk or TeamViewer. These types of software are not detected as malware and their use is often not audited, especially in small organisations. 

Living off the land techniques are also being used by the most concerning threat actors that this newsletter has covered in recent months, including cyber crime groups (see our reports on Octo Tempest or Scattered Spider) and state-backed groups such as the PRC's Volt Typhoon.

Volt Typhoon's campaign is genuinely concerning. Microsoft thought the group was "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises". 

In a recent Risky Business podcast, Morgan Adamski, the director of the NSA's Cybersecurity Collaboration Center said she was worried about the "scope, scale and sophistication" of Chinese APT activity. One element of this was the shift to living off the land. 

"We're going to have to up our game", Adamski said. "You've got to know what your sys admins are doing, are they in every single day, are they actually supposed to be doing the activity that you see them doing?"

"And so it is going to take a concerted effort across everyone in the industry, as well as the net defenders, to really put a lot of time and effort behind this."

Living off the land is here to stay and cyber security organisations are going to have to adapt their practices to cope. 

Subscribe now

Hacks at Key Firms Upset Housing Markets

When key firms that provide services to a range of clients are hit by cyber incidents, the damage ripples out through the economy. For example, in the UK and the US, attacks on companies that provide services to the real estate industry have impacted house sales.

The consequences of breaches like these means key service providers need to be held to very high standards of security. 

Last week, Fidelity National Financial (FNF), a US Fortune 500 company that provides insurance and settlement services to the real estate industry, announced it had blocked access to some of its systems after detecting a breach. 

FNF, which owns a suite of related companies, stated that "the services we provide related to title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries, have been affected by these measures".

The AlphV/Black Cat ransomware gang claimed responsibility for the hack on their leak site the day after FNF's announcement, while also mocking Mandiant, presumably the firm AlphV believes FNF has engaged for incident response.

The fallout was described as a "catastrophe" by TechCrunch, with prospective buyers being unable to close house purchases and left in the dark about their status. When TechCrunch called IPX 1031, an FNF subsidiary, a voicemail responded that "Fidelity National Financial is still experiencing a system-wide outage. We do not have access to send or receive email or access to any system. We appreciate your patience."

In the UK, an attack on CTS, a provider of managed IT services for law firms, is also affecting home purchases by disrupting the legal sector.

Last Thursday November 23, CTS announced it was experiencing a service outage caused by a cyber incident that had "impacted a portion of the services we deliver to some of our clients". 

Today's Conveyancer, a real estate lawyer publication, reported the incident was affecting around 80 firms across the country and wrote that it "risks bringing exchanges and completions to a standstill". The impact felt by each firm varied depending upon their reliance on cloud-based services. One CTS client told Today's Conveyancer:

Depending on your cloud dependency you may, like us, still be able to find workarounds for matters exchanging and completing this week. Other firms have been more affected and are unable to access phone, emails, or case management systems. As a result some transactions are still going ahead today.  

A number of UK law firms spoke to the UK's Property Eye property trade publication, confirming that the incident’s impact was widespread. O'Neil Patient, for example, said that "this issue is impacting a number of organisations across the sector, as our provider is a specialist in secure legal systems for many law firms and barrister’s chambers".  

One lesson here is that service providers are high-impact targets and because so many customers rely on them they need top-notch cyber security standards.

While we do not know how FNF and CTS were breached, cyber security researcher Kevin Beaumont, using information from Shodan, notes both were slow to patch the latest Citrix Netscaler vulnerabilities. 

It is standard practice for cybercrime gangs to take any vulnerability in internet-facing enterprise software and exploit it at scale for either data theft extortion or for network access. CISA warned last week that these vulnerabilities were being actively exploited by cybercrime groups and they have already been implicated in the high-profile compromises of Boeing and the Industrial and Commercial Bank of China. 

A patch for these Citrix Netscaler vulnerabilities was released on the 10th of October. Perhaps the more straightforward lesson here is that organisations need to get much much faster at upgrading and patching their internet-facing vulnerabilities.

Coincidentally, an updated version of the ASD's "Essential Eight" strategies to mitigate cyber security incidents was released this week. One of the big changes is to place higher priority on rapid patching, and the ASD recommends that patches be applied "within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist". That's a tall order for most organisations, but how much angst would have been saved just in recent weeks if that recommendation was implemented?

In the race to exploit or remediate these bugs, too often threat actors are winning.

Three Reasons to Be Cheerful This Week:

1. Swapping vulns for coins: The UK's NCSC is launching a set of challenge coins it will give out to selected researchers who submit reports to its Vulnerability Reporting Service (VRS) and it thinks have "shown themselves to be exemplars of the vulnerability disclosure community". The VRS covers UK government services and this is a good way of encouraging reports that appeals to security researchers' sense of self-worth. 

2. International ransomware group dismantled: Authorities from seven different countries have collaborated to dismantle a ransomware group responsible for attacks in 71 different countries. The group used a variety of ransomware strains, including LockerGoga, MegaCortex, HIVE and Dharma, in attacks that affected over 1,800 victims worldwide. Coordinated raids took place at 30 locations and the group's leader and four accomplices were arrested in Ukraine. 

3. Myanmar rebels battling cyber scams: The Three Brotherhood Alliance, a militia opposed to the Myanmar junta, has taken aim against online ‘pig butchering’ compounds operating near the border with China. The PRC has tried to pressure the Myanmar government to crack down on the crime with limited success. So it's a happy coincidence for the Chinese government that rebel forces have suddenly felt motivated to tackle cybercrime kingpins. 

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Brian Dye, CEO of Corelight about the value of data from NDR tools when it comes to longer term incident response.

Shorts

DP World Dodges the Ransomware Bullet

DP World Australia has confirmed that ransomware was not deployed in a recent incident that we covered earlier this month. DP World Australia says "a small amount" of data was stolen during the incident, including the personal information of current and former employees.

This is a best case scenario as the actual deployment of ransomware would have been far more damaging. As it was, the incident resulted in the shutdown of five ports across Australia, national news coverage and a whole-of-government response. Australia's Minister for Cyber Security, Clare O'Neil, even berated DP World for not patching its systems more rapidly.  

That's more than a little angst. DP World Australia's executive vice president Nicolaj Noes told the Australian Broadcasting Corporation that although getting cyber security right is complex, perhaps they should, in retrospect, have "done some things differently".

PRC Ransomware Pressure Intensifies

The Qilin ransomware group  (aka Agenda) has claimed responsibility for a cyber incident affecting production at Yanfeng Automotive Interiors, a Chinese automotive parts manufacturer. Bleeping Computer reports Yanfeng employs 57,000 people in 240 locations worldwide and the incident disrupted production at multinational automaker Stellantis' North American assembly plants.   

Just two weeks ago, in the wake of a ransomware attack on the US subsidiary of China's largest bank, we speculated about the Chinese government pressuring Russian officials to take action against ransomware crews. It's not clear that Qilin is Russia-based, although cyber security firm Group-IB reported earlier this year that a Qilin recruiter looking for affiliates wrote in Russian and said that the group does not work in CIS countries (countries that were formerly part of the Soviet Union).    

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the evolution of Russian electricity network cyber attacks. 

From Risky Biz News:

Fastly to block domain fronting in 2024: Internet infrastructure company Fastly will block domain fronting on its cloud platform from February 27, 2024.

Fastly now joins a growing list of major cloud companies that have banned domain fronting. The list includes Amazon (banned in 2018), Google (2018),  Microsoft (2022), and Cloudflare (2015).

Domain fronting is a technique to use different domain names on the same HTTPS connection. Because of its ability to hide backend infrastructure, domain fronting has also become popular with malware operations, being adopted by both financially and espionage-motivated groups.

[more on Risky Business News, including the historyof domain fronting, its legitimate uses and how it has been used by services like Signal and Tor to bypass internet censorship.]

Cyber insurance catches on across the EU: An ENISA report on NIS compliance spending has found that roughly 42% of the EU's critical infrastructure and digital service provider operators have signed up for cyber insurance in 2022.

The report notes that while cyber insurance coverage was at 43% in 2020 and just 30% in 2021, the cyber insurance market now appears to be active and developed all over the EU.

[more on Risky Business News, including how companies are complying with the EU's NIS Directive]

Crypto-phishing service shuts down after stealing $71 million: A phishing platform specialising in cryptocurrency thefts has shut down operations after stealing more than $71 million over the past nine months.

Named Inferno Drainer, the platform launched in February this year. Spotted by Web3 security platform ScamSniffer, the service allowed threat actors to create phishing pages for more than 220 cryptocurrency brands.

ScamSniffer researchers say Inferno Drainer was responsible for more than 10,000 phishing sites and helped hackers steal cryptocurrency from more than 103,000 victims since its launch.

[more on Risky Business News]

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Spotify:

We have removed this item because it largely centres on discussion of an article that is subject to a legal action and is no longer published.

If Data Theft Doesn't Work… Troll

The AlphV ransomware group has filed a US Securities and Exchange Commission (SEC) complaint against one of its victims for failing to disclose that it had been breached.

In the words of AlphV's submission, the victim company MeridianLink "failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules".

According to AlphV, the group breached MeridianLink on November 7 and stole files but did not encrypt company systems. 

Beyond the submission being a ridiculous troll, there are also a few more pedantic problems with AlphV's submission. The SEC's four-day disclosure rules don't actually come into effect until the middle of December and they only apply if the company decides the breach is material. MeridianLink told DataBreaches.net, "based on our investigation to date, we have identified no evidence of unauthorised access to our production platforms, and the incident has caused minimal business interruption". So it doesn't sound like a material incident anyway. 

It also looks like AlphV missed a trick here and doesn't appear to have applied for the SEC's whistleblower reward program. This scheme is designed to encourage whistleblowing and monetary fines from SEC enforcement actions that result from submissions can be shared with the whistleblower. This would have been even more absurd and potentially more effective since this caper was all about using publicity to place extra pressure on MeridianLink. 

However, cybersecurity professionals and companies should be aware there could be a real opportunity for ransomware groups to apply more pressure here. The SEC's recent case against SolarWinds and its CISO is based on how the company's cyber security practices didn't match the company's public statements. Perhaps the opportunity for ransomware groups is to write penetration testing reports describing weaknesses in a company's cyber security defences and contrasting those findings with the victim's public statements (such as the boilerplate 'we take cyber security extremely seriously'….etc). They could then threaten to send this report to the SEC.

Subscribe now

Russia’s War for (Hacking) Talent

The Record has published a recent interview with Victor Zhora, the former deputy head of the Ukraine's cyber security agency (the SSSCIP) discussing the evolving tactics of Russian cyber operations. (The day after the interview took place Zhora was reportedly dismissed from the SSSCIP amid an embezzlement investigation). 

Most interestingly, Zhora commented on the difficulties that Russia has recruiting cyber talent, and that it is trying to build a talent pipeline from high schools and volunteer communities. Russia suffered a significant brain drain at the beginning of the invasion as skilled people left the country and this made it difficult for its cyber organisations to grow their capabilities. 

He told The Record that, as a result, "they are putting focus on younger people because it's the only way for Russia to scale up and maintain the same intensity of cyberattacks". 

Zhora also said that Russian groups were also scouring Telegram channels, presumably ones in which patriotic Russian hacktivists organise their activities:

One way of engaging people to cyber offensive operations against Ukraine and our partners is seeking for talents in different Telegram channels where there’s always an officer of [the] FSB [Federal Security Service] or GRU [military intelligence] searching for the most skilled people and then inviting them to more official military structures.

There is already good evidence of coordination between Russian military intelligence and the country's hacktivist groups. However, it's difficult to trust unvetted groups of internet strangers with important cyber operations, so it makes sense to cherry pick (and vet) talented individuals for more important work.

Zhora also recapped trends in Russian cyber operations that we've covered before. These include that Russian state groups remain focused on Ukrainian critical infrastructure and government organisations, but have shifted from disruptive operations to cyber espionage and data exfiltration. They've also shifted toward 'living off the land' approaches that rely on abusing legitimate tools that are already present in the host environment.  

Three Reasons to Be Cheerful This Week:

1. US SIM swap requirements strengthened: The US Federal Communications Commission (FCC) has adopted new rules intended to protect US wireless telecommunications customers from SIM swap fraud. The new rules say wireless providers must use "secure methods of authenticating a customer", but don't specify what these secure methods are — it's up to providers to figure that out. The FCC writes "while the approach we take today gives wireless providers the flexibility to adapt to evolving threats, it also creates an obligation that they adapt to those threats". [Risky Business News has more coverage]

2. Hack-for-hire intermediary sentenced: An Israeli private investigator, Aviram Azari, has been sentenced to 80 months in prison for organising global hacking campaigns. Prosecutors say Azari's clients paid him more than USD$4.8m over five years for organising the campaigns. Notable campaigns targeted individuals critical of now-defunct German payment processing company Wirecard and also climate activists who were campaigning against Exxon Mobil. One of the hack-for-hire firms Azari used was Indian firm BellTrox.  

3. Binance pinged for USD$4.3bn: Binance, the world's largest cryptocurrency exchange, will pay USD$4.3bn to settle violations of US anti-money laundering law. Its CEO Changpeng Zhao (aka CZ) will also step down. We are calling this good news because the terms of the settlement will help clamp down on ransomware payments. The US Treasury Department said that Binance didn't report ransomware payments despite "transacting millions of dollars of ransomware proceeds involving at least 24 different strains of ransomware". 

Sponsor Section

In this Risky Business News sponsor interview, Tom Uren talks to Derek Hanson, Yubico VP of Solutions Architecture and Alliances, about the state of authentication and what Passkeys are all about.

Shorts

Twitter's Flagging Flagging Efforts

Bloomberg analysed hundreds of viral posts on X, the website formerly known as Twitter, relating to the Israel/Hamas conflict and found that the site's efforts to address misinformation were not keeping up with the speed with which misleading posts were going viral.  

Since Elon Musk's takeover of Twitter he has dismantled much of the company's trust and safety function, so mechanisms it previously used to manage misinformation don't exist any more. 

One recent innovation that attempts to address misinformation on the platform is 'Community Notes', a mechanism that gathers other X users' opinions to add context to posts and flag them as potentially misleading.

In theory, this could work because it harnesses users to address misinformation more broadly than a centralised Twitter team ever could. However, Bloomberg found that Community Notes correcting or adding context to posts typically appeared hours or even days after misleading posts had gone viral. Often these posts contained photos or videos that were repurposed from other conflicts (or even video games) and appear to be designed to be deliberately inflammatory.

Of course, Twitter's former role as a site to follow breaking news events is at odds with the slower pace that would come with the careful assessment of posts for misinformation.

How to Join the Active Defence Party

German digital technology think tank SNV (Stiftung Neue Verantwortung) has published a paper on how states should responsibly conduct 'Active Cyber Defence' operations. Its definition of active cyber defence is pretty broad and encompasses state action that ranges from telling ISPs to block or sinkhole malicious traffic to what this newsletter calls ‘offensive cyber operations’ designed to disrupt cyber criminals, as per the UK's National Cyber Force.

Some states already carry out these kinds of operations and we expect that over time more states will take part. The paper is a sensible policy blueprint on how states can join the party. 

I'm In Jail With a Broken Nose…

Now here's an AI-enabled scam that will work. In this video attorney Gary Schildhorn describes a scam which started with a phone call from his son saying that he'd been in a car accident in which he'd broken his nose and injured a pregnant woman.

The AI technology required is the ability to clone a voice, which could then be combined with a soundboard to trigger pre-prepared phrases. But this is a targeted attack that requires the scammers to do some homework beforehand. Firstly, the scammers need to identify individuals with enough speech available online such that their voice can be cloned. They then need to find relatives and contact details. But once they've done that we suspect their success rate will be pretty good.  

Fortress Australia, Cyber Edition

The Australian government released its latest cyber security strategy this week and on the whole we approve. 

The strategy takes a defence-in-depth approach framing with six 'cyber shields' ranging from "strong businesses and citizens" to "protected critical infrastructure". The third shield, "World-class threat sharing and blocking", is interesting. It takes a 'fortress Australia' approach and aims for whole-of-economy threat intelligence sharing, coupled with threat blocking at ISPs and telcos.

The strategy extends out to 2030, however, and there are not a lot of new funds given the extended time frame. A reasonable chunk of the new money is allocated to help Pacific countries both improve their cyber security and also to respond to crises. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss how being more open about cyber security threats is great for marketing but has also forced cyber security companies to pick sides and make value judgements.

From Risky Biz News:

DIALStranger vulnerabilities disclosed after four years: Turkish security researcher Yunus Çadirci has discovered vulnerabilities in the DIAL protocol and misconfigurations in vendor equipment that can be used to force TVs and other capable devices into forcibly playing an attacker's video content.

The DIALStranger flaws were discovered way back in 2019, but Çadirci kept the original report private for four years as the protocol received patches and vendors slowly updated devices.

[more on Risky Business News, including how the flaw could be used for "mass-rickrolling"]

NTMC leak: Bangladesh intelligence agency NTMC has left a sensitive database exposed on the internet and leaked the personal details of an unknown number of citizens. The leaked data contained more than 120 data points for each citizen, ranging from real names to Twitter IDs, criminal records, and phone call records. Discovered by Viktor Markopoulos of CloudDefense.AI, the researcher says he reported the database to Bangladesh officials, but the server was never secured. Instead, it was wiped and replaced with a ransom demand, presumably in an automated attack. [Additional coverage in Wired]

Tor Project removes 1k relays linked to cryptocurrency scheme: The Tor Project has removed an estimated 1,000 relay servers from its network, citing their involvement with a for-profit cryptocurrency scheme.

The scheme allegedly promised cryptocurrency tokens for users who set up and ran Tor relays.

In a blog post on Monday, Tor admins said they removed participating servers to protect the integrity and reputation of their project. The removal was subject to a community vote that passed last week.

[more on Risky Business News, including Tor's funding sources]

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

Ransomware criminals continue to make hay despite increased government efforts worldwide to clamp down on the ecosystem. What's next?

Last week, the US financial services division of China's biggest bank, the state-owned Industrial and Commercial Bank of China (ICBC), was hit by ransomware that reportedly affected trading in US Treasuries. According to The Financial Times, "the attack prevented ICBC from settling Treasury trades on behalf of other market participants" and that "with its systems compromised, ICBC Financial Services proposed sending a USB stick with trading data to BNY Mellon to help it settle trades". I mean, this is very serious, but lol.

This left ICBC's US unit owing BNY Mellon USD$9bn for unsettled trades, with the subsidiary requiring a capital injection from its parent company to pay the debt. Yikes. 

This hack was discussed in the diplomatic stratosphere, and US Treasury Secretary Janet Yellen raised it with Chinese vice-premier He Lifeng. 

Ransomware gang LockBit claimed the attack and told Reuters over the Tox encrypted messenger that ICBC had paid a ransom. Reuters was not able to independently verify this particular claim, but LockBit's involvement was confirmed in reporting from The Wall Street Journal.

This is a very brazen attack but we also think it's a risky one, at least for the people directly involved, as it is the kind of thing that motivates government officials to take action. And we're not talking about US officials here, but Chinese ones.

Assuming LockBit has some Russian nexus (they advertise on Russian-language dark web forums), Chinese officials could have some influence over Russian law enforcement efforts. The leverage the PRC has over Russia has increased since the Russian invasion of Ukraine and, as Risky Business News reported last week, Russian officials can arrest cybercriminals when they are motivated to. 

If the PRC does ask Russian officials to take action, however, we think this will likely just result in the arrest of a few ransomware affiliates. It will not significantly change the ransomware game. 

The ICBC aren't LockBit's only recent high-profile victims. Security researcher Kevin Beaumont reports that a LockBit "strike team" has been using a recent Citrix Netscaler vulnerability (known as CitrixBleed) to get initial access to organisations and then passing that onto another team that ultimately deploys ransomware.  (LockBit's use of CitrixBleed to gain access to the ICBC was reported in The Wall Street Journal).

Other organisations that Beaumont has found running vulnerable versions of Netscaler include British multinational law firm Allen and Overy, Boeing, and DP World Australia. LockBit has claimed credit for the ransomware attack on Allen and Overy and have leaked data purportedly from Boeing as well. 

And DP World Australia was crippled by an attack last Friday. Per the Australian Financial Review:

The Middle Eastern-owned stevedore, which operates terminals in Sydney, Melbourne, Brisbane and Perth and handles about 40 per cent of the goods coming in and out of Australia was forced to shut down technology systems at 10am on Friday.

The shutdown prevented some 30,000 containers of goods from moving in or out of its terminals, including refrigerated containers that can hold anything from lobsters and wagyu beef to blood plasma.

While ships could still offload and pick up containers, the technology systems that allow trucks to share data with the stevedore were turned off, meaning trucks could not get into DP World’s terminals to collect or drop off containers.

There hasn't been an official confirmation of who breached DP World Australia or how they did it, but Beaumont's Citrix Netscaler compromise theory seems plausible or even likely. A patch for that vulnerability was released on the 10th of October. 

The Australian government has a playbook for these kinds of serious cyber incidents where it rolls out a whole of government response coordinated by a 'cyber disaster tsar' (aka the National Cyber Security Coordinator). This approach uses an emergency response framework that was developed during the Covid pandemic and was first used in the case of a cyber incident when responding to the Medibank Private breach late last year. 

From the point of view of a critical infrastructure company, part of this is great. If you are the victim of a significant cyber security incident you'll get all kinds of government assistance! On the other hand, the government will learn if your cyber security posture was sub-par.  

This essentially puts all critical infrastructure companies on notice to up their game. 

That's a good thing, but what else can governments do? Back in November last year Australia's Cyber Security Minister Clare O'Neil announced "an ongoing, joint standing operation to investigate, target and disrupt cyber criminal syndicates with a priority on ransomware threat groups".

In January this year we covered how LockBit's porous OPSEC made it "ripe for disruption" and in June this year cyber security authorities in the Five Eyes, France and Germany issued a cyber security advisory warning about LockBit ransomware.  We'd be stunned if these recent incidents don't make LockBit a priority target for state action. 

Although we love writing about flashy government disruption operations involving website takedowns and press releases, we think operations that covertly degrade ransomware groups are more sensible. Flashy operations push ransomware affiliates to greener pastures, whereas discreet operations leave them toiling joylessly in the ransomware salt mines.

We think these kinds of offensive cyber disruption operations will make a difference, but won't eliminate ransomware. Ultimately, the crime needs to be starved of funds and so efforts to prevent ransomware payments should be accelerated.   

Banks Dragged Kicking and Screaming to Combat Fraud 

Reuters reports that banks in the US have begun refunding victims of 'imposter scams' on payment app Zelle. 

Imposter scams involve people being tricked into sending money to scammers. Prior to June 30 the banks that run Zelle did not refund victims of these scams, as the customers themselves were authorising the transfer. This meant they weren't required to provide refunds under federal law.  

This reminds us of new UK rules for payment systems that come into effect next year. The UK rules apply to essentially the same type of fraud, although the Brits call it Authorised Push Payment (or APP) fraud. On Britain's 'Faster Payments' system, UK payment firms will split the cost of reimbursement 50:50, giving both the sending and receiving firm incentives to crack down on fraud.

The documents the UK's Payment Systems Regulator released regarding the change are very interesting, particularly its cost-benefit analysis. They leave us with the strong feeling that US banks could do much more, but have taken the steps they have to head off the possibility of more expensive regulations.    

Our question for US regulators and lawmakers is: who do you care more about? Banks or people?

Subscribe now

Three Reasons to Be Cheerful This Week:

1. Phobos ransomware affiliates charged in France: French authorities have charged a Russian couple and allege that they have been working as affiliates for the Phobos ransomware gang. The couple are from Saint Petersburg, Russia and were arrested in Italy and then extradited to France. Officials say the couple has worked with Phobos since 2020 and are linked to payments from more than 150 victims across the world. 

2. Myanmar scam centre progress: Over 160 Thai nationals will be returned to Thailand after being rescued from gangs running scam centres following a joint PRC-Myanmar law enforcement operation. Seriously Risky Business covered these type of 'pig butchering' scam centres here.

3. Gene giants move to 2FA by default: Following the theft of user records from the 23andMe DNA testing firm, it and other companies in the sector, including Ancestry and MyHeritage, will start using multi-factor authentication for customers by default. For 23andMe, this is very much shutting the gate after the horse has bolted, but it is better than not shutting the gate at all.   

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Ryan Mahoney, Product Director at Gigamon. The TLS 1.3 encryption standard makes passive network monitoring inside your network difficult without break and inspect contortions, but Gigamon's precryption technology provides the visibility into encrypted traffic in hybrid environments that network defenders need.

Shorts

Catching the Mirai Botnet Boys

Wired's Andy Greenberg has a good long read covering the story of the Mirai botnet and its three authors, who were teenagers when they started creating the software. Two of the three had originally started a DDoS protection company, ProTraf, and created Mirai to launch DDoS attacks to drum up business.

It was a slippery slope that eventually ended up with Mirai taking out significant portions of the internet with the world's largest DDoS attacks at the time. The three were eventually tracked down by the FBI and cooperated with the organisation in cases against other cybercriminals.

Ultimately, it's a story of redemption. The trio avoided jail time because of their cooperation with the FBI. While doing community service they assisted in the creation of an IoT malware honeypot for an anti-DDoS organisation and have since gone on to jobs in finance and security research. 

Not Catching Scattered Spider?

Some of the individuals in the Octo Tempest group, aka Scattered Spider, that we've referred to as Lapsus$-style hackers have reportedly been identified. But what’s next? According to Reuters: 

For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.

The Reuters' article quotes several cyber security experts who question why these individuals haven't been arrested.

We are willing to give the FBI the benefit of the doubt here, especially after reading Wired's investigation into Mirai (above). In that case, the arrests took place over many months but ultimately resulted in them assisting police investigations and being diverted from a potential life of crime. 

State-based Hackers Focus of Government Reports 

The Australian Signals Directorate released its 2023 Cyber Threat Report on Tuesday and the UK's National Cyber Security Centre released its Annual 2023 Review on the same day.

The two reports are same same but with slightly different flavours. Both emphasise the risk to critical infrastructure from state-backed hackers, although the UK report is far more explicit about the cyber security threat posed by the PRC.  

Israel Turning to Blacklisted Spyware Vendor 

According to reporting from Axios and Bloomberg, Israeli security services are turning to the NSO Group spyware company and its Pegasus mobile spyware to help track hostages in Gaza that were kidnapped by Hamas.

Using mobile spyware like Pegasus to locate and possibly collect intelligence from hostages or suspected terrorists makes perfect sense in this situation. From the reporting it appears the Israeli government has its own capability but is looking to Israeli spyware companies including NSO Group, Candiru and others to provide extra capacity.  

Both NSO Group and Candiru were blacklisted by the US government in 2021 because their spyware products had been used extensively to target civil society in a variety of countries. It looks like NSO Group is trying to redeem its reputation, and Axios also covers the company’s recent lobbying efforts in the US.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about International Humanitarian Law or the 'Rules of War' and whether they make any sense in cyberspace. 

From Risky Biz News:

Clop is coming after your SysAid servers: The infamous Clop ransomware gang is exploiting a zero-day vulnerability in on-prem SysAid IT automation servers.

The attacks were discovered last week by SysAid's security team, and the company released a software update to patch the exploited bug…

The recent attacks would make SysAid the fourth different enterprise software the gang has exploited this year after it previously targeted GoAnywhere and MOVEit file transfer servers and PaperCut print management servers.

[more on Risky Business News]

OCCRP journalists targeted with Pegasus: Two Indian reporters from the Organized Crime and Corruption Reporting Project have had their phones targeted with the Pegasus spyware. The attacks took place hours after the two reporters reached out for comment to the Adani Group, one of India's largest companies. The reporters were investigating the Adani Group's owners for possible market manipulation by secretly buying their own stocks. OCCRP reporters Ravi Nair and Anand Mangnale are two of the 20 Indians that Apple notified in October that their phones were targeted by state-sponsored malware.

Russia hacked 22 Danish critical infrastructure companies: Russian state-sponsored hackers have breached at least 22 Danish companies operating in the country's energy sector.

Denmark's CERT team for the critical infrastructure sector (SektorCERT) described the intrusions as the largest cyber-attack in the country's history.

In a report [Danish PDF, machine-translated English file] published over the weekend, SektorCERT tentatively attributed the attacks to Sandworm, a cyber unit inside Russia's military intelligence service GRU.

[more on Risky Business News]

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

Last week, Microsoft announced a “Secure Future Initiative" to improve its ability to cope with increasingly sophisticated cyber security threats. 

This reminds us of Microsoft's last security epiphany, the Trustworthy Computing initiative, launched in 2002. Unfortunately, compared to the clarity, focus and commitment of the Trustworthy Computing initiative, this announcement is disappointing.

In a post describing the Secure Future Initiative, Microsoft President and Vice Chair Brad Smith wrote that the new initiative was required because of the "increasing speed, scale and sophistication of cyberattacks". 

We don't think Smith is quite right here. We would say Microsoft needs security reform because it has been making unacceptably vulnerable products.  

Threats are increasing in speed, scale and sophistication, but the fundamental problem for Microsoft is that its security culture just isn't up to scratch. In a breach of its email services earlier this year, for example, Microsoft's own post-mortem revealed a series of decision-making failures that simply would not have occurred in a security-conscious organisation. 

This results in products that are not as secure as they should be. This newsletter has covered a constant flow of Microsoft security gaffes over the past few years.

These security flaws draw in attackers like flies to rotting meat. 

Smith wrote that Microsoft's efforts will consist of three pillars "focused on AI-based cyber defences, advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats".

The most promising part of the initiative describes specific engineering goals that Microsoft is committing to. Charlie Bell, Microsoft’s Security Vice President, expands on these in an internal email, where he writes that Microsoft will:

• "transform the way we develop software with automation and AI so that we do our best work in delivering software that is secure by design, by default, in deployment, and in operation"

• "provide a unified and consistent way of managing and verifying the identities and access rights of our users, devices, and services, across all our products and platforms"

• Improve the speed of vulnerability response and security updates on cloud platforms to "cut the time it takes to mitigate cloud vulnerabilities by 50 percent".

This all sounds good, and we cover some positive initiatives in Three Reasons to be Cheerful this week. But overall, we are terribly underwhelmed by Microsoft's messaging here. In his email Bell issues a lukewarm call to arms:

We recognise that not all of you will be deeply involved in all of the advances we must make. After all, the first priority is security by default. But all of you will be engaged and, more importantly, your constant attention to security in everything you build and operate will be the source of continuous innovation for our collective secure future.  Please read on, absorb the "what" and the "why," and contribute your ideas on innovation. We are all security engineers.

In 2001, Microsoft was at a similar crossroads after it had been stung by a series of security problems, including the CodeRed and Nimda worms. In January 2002 Bill Gates sent an internal email that launched Microsoft's Trustworthy Computing initiative. In his very first paragraph Gates is crystal clear that the initiative is the top priority for everyone in the company:

Over the last year it has become clear that ensuring .NET (Ed: a new Microsoft computing platform at the time) is a platform for Trustworthy Computing is more important than any other part of our work. If we don’t do this, people simply won’t be willing — or able — to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.

Towards the end of his email Gates re-emphasised the importance of Trustworthy Computing and underscored how Microsoft needed to shift its priorities:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasise security right out of the box, and we must constantly refine and improve that security as threats evolve… If we discover a risk that a feature could compromise someone’s privacy, that problem gets solved first. If there is any way we can better protect important data and minimise downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.

This single paragraph clearly spells out how Microsoft went wrong, why it needed to change and what its new priorities were. After this memo Microsoft's security really did improve, for a while.

By contrast, Smith and Bell's messages about the Secure Future Initiative make no mention of changed priorities and what Microsoft will forego to achieve better security. Is the expectation that security improvements will flow naturally from doing extra engineering work rather than requiring any recalibration of Microsoft's priorities?

Beyond these engineering efforts, a large section of Smith's post deals with how Microsoft will use AI to improve security. Within Microsoft, the company will use it to improve its threat intelligence and cope with a "vast sea of digital data" including by helping it to "to find the right needle even in a sea of needles". 

Outside the organisation Microsoft will use AI "as a gamechanger for all organisations to help defeat cyberattacks at machine speed". Of course, using AI responsibly is also a must. 

I mean, I guess this is good, but how much of your security strategy should rely on AI being a game changer? Will the technology super charge Microsoft's security? Or just make security professionals moderately more effective? In our view, exploring AI to improve cyber security is a worthwhile experiment, but it is no substitute for the commitment to security that Gates demonstrated in 2002.

Smith's post finishes with norms of international behaviour, which he describes as a "third critical component" of Microsoft's Secure Future Initiative. This commits Microsoft to advocate for standards that would govern the behaviour of actors in cyberspace, including both government and non-state actors.  

This section contains a diverse mix of recommendations or commitments that range from the sensible to the naive and sometimes self-serving. For example, "states should recognise cloud services as critical infrastructure, with protection against attack under international law". 

We don’t think pursuing changes to international standards or behaviours will change the way threat actors behave in any significant way. Microsoft should focus on the baseline security of its products, with lobbying for better behaviour from states and cybercriminals a second- or third-order issue. 

Fundamentally, our critique of the Secure Future Initiative stems from our diagnosis that Microsoft isn't delivering secure products because its culture does not value security appropriately. It won't fix that problematic culture by launching engineering efforts, using AI, or by improving international norms of behaviour. 

Subscribe now

Encrochat Crimephone Operation Cut Short By Police Leak

Natalie Mottram, a former intelligence analyst for the Cheshire Police, has been jailed in the UK for revealing to criminals that the EncroChat encrypted crimephone had been hacked by law enforcement agencies.  

The EncroChat system was breached by a French interception operation in April 2020. That month, Mottram told Jonathan Kay, her friend and flatmate and a man with criminal connections, that EncroChat had been compromised. Associates of Kay used EncroChat to warn other users that the system had been compromised and by June the company EncroChat shut it down after learning it had been breached.

The UK's National Crime Agency learnt there was a leak when they intercepted some of these messages warning of a breach. The NCA then launched a sting operation to confirm Mottram was responsible.  

The police action against EncroChat was tremendously successful and here is more on the history of police actions against crimephones. 

Three Reasons to Be Cheerful This Week:

1. More, Better MFA for all: Microsoft has announced that it will automatically roll out conditional access policies to Microsoft Entra ID (formerly Azure Active Directory) customers. This means that more users will be required to use multi-factor authentication and Microsoft's goal is to have 100% MFA authentication. Microsoft has also rolled out a feature to combat MFA push fatigue attacks where suspicious or risky login attempts won't result in a notification on a user's phone. Instead users will be prompted to open Microsoft's Authenticator app to complete the sign-in process. 

2. Indian crypto-scam arrests: Indian authorities arrested eight people, including four police, involved in crypto-related scams. This is part of a continuing crackdown with 18 people arrested so far. 

3. Dodgy VPNs need not apply: The Google Play store has started to add security audit badges to VPN apps. An app can earn these badges by undergoing an independent security check through an approved partner. Bleeping Computer has good coverage. 

Sponsor Section

In this Risky Business News sponsor interview, Tom Uren talks to Huxley Barbee, Security Evangelist at runZero, about finding the unknown unknowns and what is a security evangelist.

Sponsor Demo

Senior Sales Engineer Ali Cheikh demonstrates the runZero platform to Risky Business host Patrick Gray. runZero is a cyber asset management tool that combines active scanning, passive discovery, and API integrations to discover IT, OT, and IoT assets (both managed and unmanaged) across your network, including cloud, mobile, and remote environments.

Shorts

eIDAS Is Just a Terrible Idea

More than 300 companies, NGOs, scientists and researchers have asked the EU to reconsider its proposed eIDAS regulation (Electronic Identification, Authentication and Trust Services) in two separate open letters. 

Both the industry joint statement and the letter from civil society organisations and individuals argue that the regulation would undermine web security. The regulation proposes that any EU member government be able to issue certificates that web browsers must accept as valid, which would potentially allow any EU member state to intercept the web traffic of any EU citizen, for example. The industry letter was signed by Cloudflare, Akamai and Mozilla, and Google also separately backed this industry position. The Record has further coverage. 

Iran-Israel Cyber Argy Bargy

According to Palo Alto Networks, an Iranian-backed hacking group that it calls Agonizing Serpens, has launched a series of destructive attacks targeting the education and technology sector in Israel from January through October this year. Microsoft has linked the group, also known as Agrius, Pink Sandstorm, and BlackShadow, to Iran's Ministry of Intelligence and Security.

Russia Arrests Cybercriminals When It Wants To

Risky Business News reports that the Russian FSB detained two men accused of attacking Russian IT systems on behalf of Ukraine: 

Officials detained a student from Tomsk and a 36-year-old from Belovo, Kemerovo. The FSB says the two suspects joined Ukraine's "cyber troops," received orders from Ukraine's security services, and attacked Russian critical infrastructure. The two have been charged with high treason and face prison sentences from 12 years to life in prison.

There are two lessons here. Firstly Russia has some capacity to arrest cyber criminals when the government cares. Secondly, attacking Russian IT systems from within the country is just a bad idea.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss the 35th anniversary of the Morris worm and what it tells us about the evolution of cyber security. 

From Risky Biz News:

Chinese APTs evolve towards stealth, zero-day abuse: Chinese state-sponsored hacking operations have undergone a major shift in recent years, with groups growing in sophistication and abandoning noisy and high-volume campaigns for stealthy and extremely targeted attacks…

Recorded Future published an excellent report this week that perfectly contextualises what has been happening with China's APTs in the 2020s.

[much more on Risky Business News, including trends such as the move away from custom malware and adoption of living-off-the-land techniques, and shifting from high-volume targeting towards "more coordinated and thoughtful" targeting.]

Finally, the report also includes an attribution map for China's APT groups, including their suspected geographical locations. This is in line with what Sekoia published earlier this year, too.

US sanctions Russian woman for laundering money for Ryuk gang, Russian elites: The US Treasury has sanctioned a Russian businesswoman named Ekaterina Zhdanova for helping Russian oligarchs and cybercrime gangs evade sanctions and launder stolen cryptocurrency.

Officials say Zhdanova operated a luxury watch company with offices around the world in order to maintain access to the global financial system. She was also a customer of Garantex, a Russian cryptocurrency exchange the Treasury sanctioned in April 2022 for laundering more than $100 million in cybercrime proceeds.

According to US officials, Zhdanova was involved in laundering more than $105 million for her customers.

Mozi botnet goes down: The Mozi botnet has finally gone down for good after a mysterious entity removed its malware from infected IoT devices across the globe. The removal took place at the end of August, with infected hosts being first removed from systems in India and then from China. Security firm ESET says the Mozi takedown was executed with a special killswitch component that was signed with the malware's original private key. The company couldn't say if the killswitch was activated by the Mozi botnet creators or by Chinese law enforcement, which detained some of the Mozi authors in June 2021. First spotted in November 2019, the botnet infected more than 1.5 million devices across its lifetime, peaking at 160,000 infected systems in September 2020.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Spotify:

Groups of young Lapsus$-style hackers are rapidly evolving their tradecraft and aggressively exploiting organisations in ways their victims don't expect. 

A new Microsoft report describes the evolution of a group it calls Octo Tempest and charts its increasingly aggressive tactics and the rapid change in its targets. In early 2022, Octo Tempest focused on social engineering and targeting mobile providers to enable SIM-swapping crimes such as cryptocurrency theft, and selling the access gained to other criminals. 

However, by early 2023, the group was targeting telecommunications, email and tech service providers, and collaborating with the ALPHV/BlackCat ransomware-as-a-service operation to extort organisations by threatening to leak stolen sensitive data. 

By June 2023, Octo Tempest had started to deploy encrypting ransomware payloads and, over the year, has expanded its targets to businesses in sectors such as resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.

Although Microsoft refers to this group as Octo Tempest, other security researchers have tracked similar behaviour under entities with different names (Scattered Spider by Crowdstrike, UNC3944 by Mandiant and Oktapus (because of its targeting of identity provider Okta). These names, however, do not describe groups with well-defined and stable membership so much as subsets of a broader ecosystem of individuals that cooperate on different criminal activities using an ever-evolving set of effective and increasingly aggressive tactics. 

Some individuals involved have been linked to the Comm, a particularly nasty online group a recent 404 Media article describes as a nebulous network of hackers, gamers, Discord adherents and others:

The Comm is large, with hundreds or thousands of participants in various Telegram channels and Discord servers, with many different subsections and subgroups focusing on their own priorities. 

In many cases, members of the Comm are not limited to just performing SIM swaps, which is when a hacker takes over a phone number to then break into the target’s online accounts. Members also participate in and commission physical violence. Comm members, for example, have kidnapped one another to gain access to a rival’s cryptocurrency. Gunmen fire weapons at targets' houses or throw bricks through their windows. Violence only makes up a slice of Comm, but it carries significant cultural weight throughout the group: Discord and Telegram channels often quickly share videos of the latest robbery or attack. Members have also performed swattings against schools and universities. 

A standout feature of Octo Tempest and related groups is their very effective use of social engineering to gain access to organisations. Microsoft says they do their homework:

Octo Tempest commonly launches social engineering attacks targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts. The threat actor performs research on the organisation and identifies targets to effectively impersonate victims, mimicking idiolect on phone calls and understanding personal identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication (MFA) methods. Octo Tempest has also been observed impersonating newly hired employees in these attempts to blend into normal on-hire processes.

Ransomware incident response firm Coveware wrote about Scattered Spider, a related group, in its latest quarterly report. Although the group is adept at social engineering, it appears that just a few individuals appear to have the right skills:

One of the most common overlapping tactics observed was the skillful social engineering of the IT support desk to subvert, reset or overcome multi-factor authentication. Not only did we consistently see this tactic, but voice recordings from impacted enterprises confirmed that this group was consistently using the same two or three individuals to perform the social engineering.

One of the more eye-opening details in Microsoft's report is Octo Tempest's use of threats of physical violence to try to coerce targeted individuals into sharing credentials for corporate access. This takes the personal information gathered in prior research and uses it to lend credibility to threats of physical violence, making use of home addresses and family names, for example. 

This is not new behaviour. The Cyber Safety Review Board's review of Lapsus$ and related groups published in July this year  found some threat actors were targeting cybersecurity professionals and their families with swatting attacks.

Bill Siegel, Coveware's CEO, told Seriously Risky Business these threats were typically used as a last resort when quieter tactics such as social engineering had failed. He wasn't convinced that threats of violence were all that effective at gaining access, saying "in our experience, this tactic has the opposite of its intended effect". 

"It hardens the resolve of the victim organisation to resist the attack and the extortion tactics," he continued. "It also opens the criminals up to a wide range of new potential criminal charges if they are ever caught."

However, threats of violence are among the tactics that current cyber security practice isn't prepared for — the rubber hose attack doesn't appear in the latest MITRE ATT&CK framework, for example. Microsoft's report says threats of violence are rare, but Siegel says these threats can escalate to swatting attacks. 

While we hope swatting attacks remain rare, the potentially severe consequences mean CISOs should implement measures to minimise their risk and impact.   

Coveware also describes a new extortion tactic which we are dubbing PITA extortion (Persistent IniTial Access extortion). Coveware writes:

The tactic involves persistence that is extremely deep and time consuming to cleanse.  Once achieved, the threat actor then dangles the offer of "pay us and we will leave… Don’t pay us and we will continue to root around causing chaos". 

Microsoft and Coveware have a series of recommendations on how to deal with these kinds of threat actors. Beyond expected recommendations such as using phishing-resistant MFA for administrators, Microsoft also advocates the use of "out-of-band" communications channels during incident response, because Octo Tempest often monitors corporate messaging networks to gain insight into defender’s plans. It often communicates on these networks to taunt defenders too.

Coveware recommends hardening IT helpdesk procedures when password reset or MFA change requests are made to confirm the identity of the calling party. These include calling employees back on numbers listed in the company's internal directory and asking for photographic proof of identity. However, Coveware points out that, especially when IT support is outsourced offshore, incentives that encourage the quick resolution of problems actually make social engineering easier.

Aggressive Lapsus$-style hackers are adapting the tactics they use very rapidly and the cyber security ecosystem needs to keep up.

Subscribe now

SEC’s Disclosure Demands a Halloween Horror for CISOs  

The US Securities and Exchange Commission has announced charges against US software maker SolarWinds and its CISO, Timothy Brown, "for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities".

In other words, the SEC alleges Brown and SolarWinds defrauded investors by  "overstating SolarWinds' cyber security practices and understating or failing to disclose known risks". 

The formal complaint alleges that a SolarWinds 'Security Statement', as posted on its public website did not reflect the reality of the company’s operations. The security statement claimed that SolarWinds: followed the National Institute of Standards and Technology Cybersecurity Framework; followed a Secure Development Lifecycle; had implemented a strong password policy; and maintained strong access controls.

The SEC alleges that all these statements were untrue and also material to the company (important enough to affect the companies perceived value). In one example, SolarWinds used an Akamai server to distribute updates to customers whose password was 'solarwinds123'. Even worse, the credential was discovered by a security researcher who found it in a public github repository.

To be absolutely clear here, the SEC is not trying to punish SolarWinds' for poor cyber security practices or for being the victim of a security incident. Its beef is with the public statements that allegedly whitewashed the true state of SolarWinds security. 

The SEC also takes issue with what it describes as SolarWinds' "boilerplate" cyber security disclosure that was filed with the SEC when the firm returned to being a publicly traded company in October 2018. The SEC says this text only contained "generic and hypothetical risks that most companies face", and excluded specific risks the company was aware of. 

SolarWinds is far from the only company using generic boilerplate disclosures when it comes to cyber security risk. The SEC wants to use SolarWinds as an example to let companies know they should "do better" and more accurately reflect the specific cyber security risks they face.

The Risky Business podcast has an extensive discussion of this issue with Dmitri Alperovitch and former CISA Director Chris Krebs. Krebs thinks this case will have "massive implications". He said that if you are a  CISO in a publicly-traded organisation "that is not fully empowered by the C-suite that is not fully resourced, equipped, with the appropriate personnel, then your risk tolerance just dropped a whole bunch". 

Risky Business News has a more detailed write up that includes the reaction from a variety of security industry people.

Three Reasons to Be Cheerful This Week:

1. Nigerian cybercrime training centre shut down: The Nigeria Police Force announced that its National Cybercrime Center had shut down a recruitment and mentoring hub run by a cybercrime syndicate. The syndicate is linked to romance scams, business email compromise and financial fraud. 

2. Countries move against ransom payments, a little: 40 countries in the International Counter Ransomware Initiative plan to commit to not paying ransoms when national government computer systems are affected. Stifling payments is clearly a focus of the group, and stopping government payments is a start. 

3. Good news everyone! Ransomware isn't ten times worse! In last week's Risky Business podcast NSA Cybersecurity Director Rob Joyce praised the FBI's efforts to disrupt ransomware actors. Joyce said that without the FBI's actions ransomware "would be 10x worse".

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Patrick Garrity, VP of Marketing and security researcher at Nucleus Security, on the rise and evolution of vulnerability threat intel and how CISA KEV's new ransomware section will be a game changer.

Shorts

AI Safety and Security For All

US President Joe Biden has issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. It's very long but the fact sheet is far more accessible.  

The cyber security-related aspects focus on making AI technology itself safe, secure and trustworthy and also using it to improve cyber security. This includes establishing a program to develop AI tools to find and fix vulnerabilities in critical software. 

Another element of the EO aims to protect firms from the theft of AI-related intellectual property. 

Apple Shuts the Door on Illicit (and Lawful) iMessage Access

Apple announced an upcoming feature called iMessage Contact Key Verification that allows users to verify they are only messaging the person or people they intend to.

The idea here is to protect against the compromise of Apple's key directory service, which could allow an adversary to decrypt messages.

This would also make impractical what is often called the GCHQ proposal for exceptional access. In this proposal, sometimes also known as the 'ghost user protocol', government's compel service providers to silently and invisibly add law enforcement personnel into ongoing conversations under warrant.

Breaking Open Operation Triangulation 

Kaspersky has a good write up of its efforts to recover the malware used in what it calls Operation Triangulation, an iPhone and iPad malware campaign that targeted the devices of some Kaspersky employees. The Russian FSB security service attributed the operation to the NSA and said that thousands of devices belonging to Russian citizens had been affected. 

The developers took many precautions to prevent recovery and analysis of their malware. It took Kaspersky several months but it was able to recover the exploits, implant and various modules used in the attack.

StripedFly Mystery

If you enjoy malware deep dives, Kim Zetter also examines the mystery of StripedFly, an espionage platform that masquerades as a cryptominer and uses a custom TOR implementation for communication.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about what is really at stake with cyber security and why it is worth investing in. 

From Risky Biz News:

CitrixBleed vulnerability goes from bad to disastrous: A Citrix vulnerability has entered the dangerous stage of mass exploitation as multiple threat actors are compromising unpatched devices all over the internet in a race with each other to steal their session tokens.

Known as CitrixBleed and tracked as CVE-2023-4966, the vulnerability impacts Citrix ADC and Citrix NetScaler, which are extremely complex networking devices used in large enterprise and government networks in multiple roles, such as gateways, proxies, caching, VPN servers, and a bunch of other stuff.

The vulnerability allows threat actors to send junk data to the Citrix OpenID component that will crash and leak a part of the device's memory. In some cases, this memory may contain session tokens that attackers can collect and then bypass authentication and access the device. For a more technical explanation, check this write-up from Assetnote researchers.

[more on Risky Business News including more on the bug's exploitation which has possibly been occurring since late August]

First Kazakhstan-based APT discovered, tries to disguise itself as Azerbaijan: In a blog post this week, researchers with Cisco Talos have formally linked a cyber-espionage group named YoroTrooper to Kazakhstan, making it the first official APT group operating out of the country.

First spotted in the wild in June 2022, the group has followed the pattern of most nascent cyber espionage programs, starting with run-of-the-mill commodity malware and slowly moving to custom capabilities in recent attacks.

[more on Risky Business News]

Spyware alerts in India: Apple has notified over a half dozen lawmakers from India's main opposition parties that their iPhones have been targeted by state-sponsored attacks. Victims included figures from India's main opposition parties, such as the National Congress, AIMIM, the AAP, and the Communist Party. The alleged hacking attempts took place weeks before Indians are set to elect members to its new Parliament. In a press conference, Rahul Gandhi, leader of the National Congress Party and Modi's main rival for the upcoming elections, accused the Indian government of the attempted hacks. Besides politicians, two Indian journalists and a member of an NGO also received notifications from Apple. [Additional coverage in TechCrunch]

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

A purported group of pro-Ukrainian cyber activists, the Ukrainian Cyber Alliance, has disrupted an active ransomware gang, known as Trigona, by hacking and deleting the group's servers. 

If a group of hacktivists can compromise a ransomware gang, these gangs are certainly susceptible to operations run by better organised and resourced state cyber outfits. 

While the hacktivists’ actions will hurt, this is probably a speed hump for Trigona rather than an enduring disruption. The group claims that it will return quickly.

We think a competent state-backed group would maximise the grief it caused by quietly degrading a ransomware group's activities over a long period of time.

The ransomware group has operated since the beginning of 2022 but only branded itself 'Trigona' toward the end of last year when it launched a Tor negotiation site. A Trend Micro report on the group from June this year describes it as "highly active”. The report said the group had created both Linux and Windows versions of its malware and was continuously updating them.

Trend Micro detected attempted Trigona ransomware attacks primarily in the technology and healthcare industries, with just over half detected in the US and India. However, Trigona’s attacks could be opportunistic rather than targeted to specific industries and countries. In April this year, for example, the group targeted internet-exposed Microsoft SQL servers using password guessing attacks.

Trend Micro said the Trigona group had "poor operational security when it comes to the implementation of Tor sites". However, the cyber security firm said the group’s targeting of poorly-secured SQL servers was a cut above less technically proficient actors. 

The Ukrainian Cyber Alliance said it gained access to Trigona's infrastructure using a known vulnerability in its Atlassian Confluence collaboration platform. A representative of the Alliance, herm1t, said on X (formerly Twitter) that Trigona's "admin panel, landing, blog, leaks site, internal server (RocketChat, Atlassian), wallets and dev servers dumped and erased". In a Facebook post, the same representative said Trigona's "entire infrastructure is completely destroyed" and they told Bleeping Computer that they had taken the gang's cryptocurrency hot wallets. 

Herm1t also said data from Trigona had been taken and would be distributed to researchers after the Cyber Alliance had a chance to go through it.

The Ukrainian Cyber Alliance's claimed motivation here is that ransomware groups are bad people that often operate freely in Russia. In their Facebook post, Herm1t says "we simply found one such gang and treated them the same way they treat others".

Now, it can be difficult to be sure that purported hacktivists are genuine and one possibility here is that this breach is a state operation masquerading as a hacktivist action. However, we don't think that this is the case. For a start, the Ukrainian Cyber Alliance has a track record dating back to 2014 as described in Bleeping Computer. And we can't think why a state-backed group would pretend to be hacktivists when hacking a ransomware group. They'd simply disrupt the ransomware group without feeling the need to advertise their success afterwards. 

We support the idea that states should use their offensive cyber capabilities to disrupt cyber criminals, and this incident is proof that ransomware groups are susceptible to compromise.

The Trigona incident certainly shows that US Cyber Command or the UK National Cyber Force would have opportunities if they were seriously tasked with tackling ransomware operators.

There's certainly a need for more operations disrupting ransomware — NCC group reports that September 2023 was a record month for ransomware incidents (as covered in the Risky Business News section of this newsletter). 

Subscribe now

Never Get Involved in a Land War in Europe 

The International Committee of the Red Cross (ICRC) has released an advisory board report on "Protecting Civilians Against Digital Threats During Armed Conflict". We doubt it will do much to change the mind of combatants and hacktivists but it does have some useful advice for tech companies and other non-combatants.

We recently covered an opinion piece from two ICRC lawyers that focused more narrowly on the role of hacktivists in combat. This new report doesn't add much in that regard, but in addition to advice for what the report calls "belligerents", it also contains advice for states, tech companies and humanitarian organisations.

The recommendations to tech companies are interesting in that they reflect some of the problems that SpaceX in particular has encountered during the Russian invasion of Ukraine. We have paraphrased these recommendations here:

• Consider whether the services you provide and who you provide them to make your company a military target 

• Keep military and civilian infrastructure separate if possible

• Try to protect civilian populations even when following legal obligations such as sanctions

• Try to stop content and disinformation that incites violence or encourages hate speech.

SpaceX, probably inadvertently, made itself a military target in the first month of the invasion  by providing Starlink services and terminals to Ukraine. These ended up being used by the Ukrainian military for combat communications and targeting, so Starlink ended up carrying both military and civilian traffic. SpaceX announced in December 2022 that it was launching a new military-specific product called Starshield. 

Although Elon Musk was hasty providing SpaceX to Ukraine, in our view he has muddled through pretty successfully. It was the right move to provide Starlink to Ukraine, but it might have helped the company be better prepared if it had thought through some of these issues beforehand. 

Before 2022, these kinds of war-related issues must have seemed like off-the-wall scenarios that would never eventuate. Sadly, they now seem like business as usual.   

Ukraine's Security Service In Bed With Hackers?

The Record reports that, according to a source within Ukraine's SBU security service, the SBU collaborated with hacker groups to breach Russia's largest private bank. 

Two pro-Ukrainian hacker groups, KibOrg and NLB, claimed to have breached Alfa-Bank and stolen customer records, and released some of this data publicly. This data is said to include information that relates to the bank's owner, billionaire Mikhail Fridman, and his pro-Russian blogger son, among others. 

The Record writes:

A source within Ukraine's security service who requested anonymity because he is not authorised to speak publicly about the incident confirmed to Recorded Future News that the Ukrainian agency was involved in the operation, but did not provide further details.

We've had our doubts about how useful a hacktivist army can be, but this could be a significant step towards integrating Ukraine's hacktivist army into operations that contribute meaningfully to the country's strategic efforts. But it's hard to know given there is so little information about what "involved" in this case actually means. 

It could, for example, mean as little as taking information acquired through the reported breach. This isn't new — Ukrainian officials already claim to have taken advantage of previous leaks for intelligence purposes. Or it could mean as much as specific tasking before Alfa-bank was reportedly hacked. That would be a pretty significant step in turning the hacktivist goodwill that supported Ukraine into a genuinely useful capability. 

Three Reasons to Be Cheerful This Week:

1. Ransomware double happiness: In addition to the hacktivist disruption of Trigona, an international coalition of law enforcement agencies took down Ragnar Locker ransomware's website and arrested key members of the group. Risky Business News has more coverage.  

2. Indian tech support scam crackdown: In Operation Chakra-II, India's Central Bureau of Investigation (CBI) raided call centres in 76 locations engaged in scams involving tech support and cryptocurrency. The CBI received help from Microsoft and Amazon who provided a joint referral that Microsoft says "enabled the exchange of actionable intelligence and insights with CBI and other international law enforcement agencies to help them take action at scale". The call centres raided by CBI impersonated Microsoft and Amazon tech support. This is the first time the two companies have collaborated to combat tech support fraud.

3. US disrupts illicit North Korean IT workers: The US Department of Justice announced that it had seized 17 websites in connection with the infiltration of North Korean IT workers into foreign companies. These workers were employed in legitimate companies under false pretences and their salaries were used to fund North Korea's weapons program. This comes on top of the previous seizure of about USD$1.5m.  

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Resourcely CEO Travis McPeak about the modern DevOps ecosystem, how giving developers tools with security baked in keeps everyone safe and happy, and how that's easier than expecting your software engineers to become cybersecurity experts overnight.

Shorts

Stealing Tokens From Tech Support

A threat actor has breached Okta's support system and used the access to steal customer credentials.

The intruder gained access to customer credentials by stealing HTTP Archive or HAR files that were uploaded to Okta by customers to help troubleshoot recent support cases. HAR files typically contain cookies and session tokens that can be used to impersonate users, and these were used in attacks detected by Cloudflare, BeyondTrust and 1Password. 

In at least one case the intruder tried to add another identity provider or IDP, what we previously called a Bring-Your-Own Identity Provider attack. 

In retrospect, Okta probably should have been sanitising these files at ingest, rather than expecting customers to do it.

Krebs on Security has further coverage. 

AI Phishing Faster, But Dumber. For Now. 

IBM's X-Force security research team has examined how ChatGPT can be used to generate phishing emails, and measured how effective these emails are. 

Although ChatGPT has protections in place to prevent it being used maliciously, X-Force was able to convince it to produce phishing emails tailored to specific industries with a series of five prompts. These phishing emails were not quite as good as human-created ones, but they were created much, much faster.

In terms of click through rates, human-crafted phishing emails were better, although not by much. When it came to being reported as suspicious, AI-generated phishing emails were worse, although again not by much when compared to run of the mill human-generated phishing emails. 

X-Force red team phishing emails were reported significantly less frequently than either AI or 'regular' phishing emails, but generating these high-quality phishing emails typically takes about 16 hours. This sounds like a long time to write an email, but the process starts with open source research on platforms such as LinkedIn and Glassdoor to find recent events relevant to the company that can be used to build credibility.

By contrast, ChatGPT-generated emails took just five minutes to generate. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at "spooky effects" aka when agencies play silly buggers with target computers. 

From Risky Biz News:

Record ransomware numbers: The month of September 2023 has been the most active month for ransomware gangs on record, with 514 disclosed attacks. September 2023 beats the previous record of 459 ransomware attacks disclosed earlier this year in March. Two groups that launched last month, LostTrust and RansomedVC, ranked in the top five of most active groups. The numbers were compiled by NCC Group using data published on ransomware leak sites.

Australia to get a cyber shield: Microsoft has signed an agreement with the Australian government to build a cyber shield and help the country fend off cyber-attacks. The project's official name will be the Microsoft-Australian Signals Directorate Cyber Shield, or MACS. It is a classic threat-exchange program aimed at improving the detection of threats targeting Australia. Besides MACS, Microsoft will also invest AUS$5 billion to build nine more data centers in the country, raising the total to 29.

Cisco IOS XE hackers are hiding their tracks as patches come out: Over the past three days—since our last newsletter edition—the situation around the latest zero-day attacks targeting Cisco IOS XE devices has drastically changed, and we feel the need to cover it in our featured section and provide a short summary of what has been going on.

Although these attacks have been taking place since at least September 28, news of this campaign came out last Monday, on October 16, when Cisco revealed the existence of a zero-day tracked as CVE-2023-20198 in the web administration panel of its IOS XE operating system.

[more on Risky Business News]

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

Mature Organisations Still a Security Horror Show

CISA and NSA have published a joint advisory on the most common misconfigurations experienced in cases across federal and state governments, the defence industrial base and critical infrastructure operators. 

You would expect to see well configured networks at these organisations, but the CISA/NSA advisory says these misconfigurations occurred even in networks with "mature cyber postures". The list is made up of 101-level problems:

1. Default configurations of software and applications

2. Improper separation of user/administrator privilege

3. Insufficient internal network monitoring

4. Lack of network segmentation

5. Poor patch management

6. Bypass of system access controls

7. Weak or misconfigured multifactor authentication (MFA) methods

8. Insufficient access control lists (ACLs) on network shares and services

9. Poor credential hygiene

10. Unrestricted code execution

The report describes these misconfigurations as "systemic weaknesses across many networks". Given that getting these settings right is 'basic cyber hygiene', these misconfigurations shouldn't exist in an organisation with a mature cyber posture. 

These misconfiguration errors fall into two buckets. 

The first bucket includes misconfigurations at least partly attributable to manufacturer's standard practices. Many commercial devices, for example, contain predefined default credentials for built-in administrative accounts. The report cites "network access [devices], printers, scanners, security cameras, conference room audiovisual (AV) equipment, voice over internet protocol (VoIP) phones, and internet of things (IoT) devices" as commonly containing default credentials.

Other examples include insecure or legacy protocols or services enabled by default, or insecure or overly permissive standard configurations.

In these cases network defenders are required to undertake configuration work even before products we would call 'insecure by default' are deployed.

These misconfiguration errors could be reduced by pressuring vendors to improve their security practices. The advisory says "software manufacturers must reduce the prevalence of these misconfigurations… by incorporating secure-by-design and -default principles and tactics into their software development practices".

In the second bucket, the network owner is responsible for the misconfigurations or weaknesses in network segmentation, internal network monitoring, privilege management, and credential hygiene.

Under 'poor credential hygiene', for example, the advisory explains how lax policies result in passwords that can easily be guessed in a relatively short time. In one security assessment it took just 12 hours for a security assessment team to crack 80% of user passwords. Even worse, assessment teams also frequently discover cleartext passwords. 

The advisory recommends organisations follow National Institute of Standards and Technologies (NIST) password policy guidelines and suggests they consider using password managers. 

Overall, our reading of the advisory is that — even for many US organisations important enough to receive support from CISA and NSA — security is not good enough. And manufacturers actually add to the problem by shipping products that require network defenders to remediate security vulnerabilities before they can be deployed safely. 

This advisory, then, explains the reasons why governments should be pressing software manufacturers to embrace secure-by-design principles. Even large organisations struggle with the basics, so it's time that product vendors started helping rather than hindering security efforts. 

What is Secure by Design?

Another strand of CISA's effort entails defining what secure-by-design product development actually looks like. This week it released a revised version of the Secure-by-Design guidance document it co-authored with US and international partner organisations. 

The document contains high-level principles targeted at senior leadership (eg 'Embrace radical transparency and accountability!', Lol) as well as more practical advice aimed at practitioners ('Actively discourage unsafe legacy features'). It's a heady mix. 

The other two principles are 'Take ownership of customer security outcomes' and 'Lead from the top'. From a vendor management perspective these three principles sound more like 'effort and expense' rather than 'profit and dollars'.  

However, more practically, the document contains stacks of software development and business process suggestions that would improve security if organisations implement them. These range from the mundane, such as 'eliminate default passwords' to the paradigm-subverting 'replace hardening guides with loosening guides'. 

This is all good stuff if a vendor already wants to improve the security of its products. The document describes how vendors can make their development practices more secure. But it doesn't do all that much to convince vendors to invest the time and effort to improve product security.

It also seems that CISA and its co-authors aren't convinced that vendors are on board with secure development either. They write:

Customers should also push their vendors to publicly document the secure by design actions each vendor takes. Collectively, this can create a strong demand signal for security, which can encourage and enable software manufacturers to take steps towards greater security. In other words, just as we seek to create a pervasive secure by design philosophy within software manufacturers, we need to create a "secure by demand" culture with their customers .

This, in essence, is the problem at the crux of the secure-by-design push. What are the incentives that will encourage vendors to adopt these more secure practices? Cyber security authorities don't have the regulatory clout to force vendors to change their ways.

We think there is space here for government regulators to require more transparency from vendors. The document's section on 'embrace radical transparency' has a number of concrete suggestions that would not be too onerous for vendors but could still provide the market with useful information about product security.

These include publishing statistics such as patching or MFA adoption rates, or publishing high level threat models and security roadmaps. Requiring these initiatives by themselves won't change much, but they are the baby steps that could start the ball rolling. 

Subscribe now

Five Eyes to Watch Sticky Fingers

At an FBI-hosted security summit, Five Eyes security intelligence leaders warned about the threat of PRC-sponsored intellectual property (IP) theft. This was the first-ever public joint appearance of leaders from Five Eyes countries’ security intelligence services and it is good to see this kind of public outreach. 

The Australian Broadcasting Corporation reported FBI Director Christopher Wray told the summit that AI technology was a particular target, but the group of leaders also provided specific historical examples of IP theft. Wray cited the story of a US wind turbine company whose market capitalisation plummeted after its IP was stolen by an insider that had been recruited by the company's Chinese joint venture partner. 

Mike Burgess, Director-General of the Australian Security Intelligence Organisation, spoke of an Australian company who discovered that inferior counterfeit products were being sold under its brand name. It was subsequently found that PRC state-backed hackers stole the company's IP using malware delivered by a USB drive given to a company employee at an international conference.  

"That USB downloaded malware onto that laptop, which later on, when they were connected back to their corporate network, was used to steal their intellectual property," Burgess said.  

"That intellectual property was passed from the intelligence services to [a] state-owned enterprise that mass produced the goods and sold them on the market that undercut them." 

The UK and Australian governments have already published security guidance tailored for innovative startup companies.  

Three Reasons to Be Cheerful this Week:

1. NTLM death watch: Microsoft has announced plans to remove support for NTLM authentication in Windows 11 at some point in the future. NTLM has been around since 1993 and is insecure relative to newer protocols, but is still required in some scenarios. Risky Business News has more coverage.

2. AI help with access control lists: Google has described a new tool that allows developers to modify security policies using simple English instructions rather than system-specific syntax. CISA and NSA identified poor access control management as one of the 10 most common misconfiguration problems in large organisations, so if it could be extended for systems beyond Google's, this could be a win.   

3. California's Delete Act signed: so Californians will be able to request their personal data be deleted from the servers of online companies including data brokers. Further coverage in The Verge.

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Airlock Digital founders Daniel Schell and David Cottingham about the recent Microsoft Digital Defense Report and the problem of properly securing PowerShell.

Shorts

iOS Sandboxing: Two Steps Forward

Google's Project Zero has a write up that likely describes one of the exploits that was used in the Intellexa alliance-related campaign that we wrote about last week. The exploit was part of a chain discovered by Google's Threat Analysis Group in collaboration with Amnesty International, at about the same time Amnesty was examining the Intellexa iOS one-click 0day.

This exploit targeted a buffer overflow vulnerability in the Safari renderer sandbox. Ian Beer, the report's author, describes the bug as "very basic" and says a "simple fuzzer targeting the IPC layer would likely have found this vulnerability in seconds". Although the bug itself was simple, the exploit itself was complex and Beer thinks the authors went to the effort to build a framework that could be reused for future bugs. In other words, they did a lot of work to make things easier for themselves in future. 

Forcing attackers to do more work to successfully exploit bugs is good, but Beer suggests it would be good to pay attention to secure coding fundamentals as well. He writes:

This vulnerability was introduced less than two years ago — we as an industry, at a minimum should be aiming to ensure that at least new code is vetted for well-known vulnerabilities like buffer overflows. A low bar which is clearly still not being met.

Your Face Belongs to… Clearview

The Verge has a long interview with New York Times tech reporter Kashmir Hill about facial recognition company Clearview AI. It's a good interview that covers both Clearview AI’s history and also the policy questions that facial recognition technology presents.

Hill covers privacy issues and has recently published Your Face Belongs to Us, a book about Clearview AI.

Sandworm Targets Ukrainian Telcos

Ukraine's CERT has revealed (Ukrainian document) that Russian cyber operators regularly target Ukrainian telcos with combined cyber espionage and disruption operations. These operations typically start with an intelligence-gathering phase where credentials and documents are stolen. This is followed by a destructive phase where they disable network, server and data storage equipment. The Record has more coverage.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" Tom Uren and The Grugq discuss how changing circumstances affect the risk/reward balance and alter whether effects operations are worthwhile.

From Risky Biz News:

Israel warns citizens of security camera hack risk: In the face of an escalating military conflict with Hamas and Hezbollah forces, the Israeli government has asked citizens to secure home security cameras or shut them down completely, fearing the devices could be hacked and used for espionage and intelligence collection.

In a memo on Friday, Israel's National Cyber Directorate asked camera owners to change their passwords, enable two-factor authentication if present, and enable automatic security updates.

If camera owners can't change any of their settings, officials have urged owners to either cover camera lenses or shut down devices completely.

Israeli officials aren't taking any chances and have most likely learned a vital lesson from the recent Russo-Ukrainian conflict, where security cameras across Ukraine have been hacked by Russian hackers to track military aid convoys and adjust missile targeting in real-time.

Aviram Azari case: US prosecutors say that an Israeli private investigator named Aviram Azari hired hackers to steal emails from climate activists and leak them to news agencies. The stolen emails were used to write articles criticising the tactics of climate activists. The articles were then cited in lawsuits involving Exxon Mobil, seeking to dodge investigations about its impact on climate change. US prosecutors have not linked Azari to Exxon Mobile. Prosecutors have asked the judge for a sentence of hundreds of months in prison, while Azari's team is asking for a maximum 60 months prison sentence after he pleaded guilty last year. Azari's sentencing is scheduled this week on October 18. [Additional coverage in Reuters]

Ransomware payments: A Splunk survey of 350 CISOs found that 96% worked for companies that got hit by ransomware over the past year, and a whopping 83% ended up paying the attackers. The survey found that the vast majority paid the attackers through an intermediary, such as a negotiator or their cyber insurance provider. A quarter of all paid ransoms were above $250,000, making the attacks a very lucrative business for ransomware gangs. [Additional coverage on the Splunk website]

"The cyber insurance process has changed over the past few years. It is getting to the point where we are wondering if it is worth our time."

Subscribe now

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Spotify:

It is hard to care about hacktivism when the news from Israel and Gaza is so bleak, but there has been a flurry of activity from both camps since the conflict erupted.  

Cyber attacks reported so far include the DDoSing of both Israeli and Palestinian websites and the leaking of stolen documents and credentials from Israeli-related sites. While these actions generally made little difference to events on the ground, some attacks attempted to disrupt Israel's response to Hamas rocket attacks.

Per Wednesday's edition of Risky Business News:

Pro-Palestine hacktivist groups have launched several cyberattacks that targeted Israel's rocket alert system. DDoS attacks hit endpoints responsible for alerting citizens of incoming missile raids, even as early as one hour after the Hamas operation began. Several groups participated in the attacks, such as Anonymous Sudan, Killnet, and AnonGhost. The latter also exploited vulnerabilities in the API system of Red Alert, an Android app that sends rocket alerts to Israeli citizens. The group abused the API to send fake rocket and nuclear bomb alerts meant to sow panic among the Israeli population. 

Threat intelligence analyst CyberKnow is tracking 83 groups so far that have announced involvement in the Israel-Hamas hostilities — 69 pro-Palestine groups and 14 pro-Israel groups. 

The current scenario is similar to the Russian invasion of Ukraine, where hacktivist groups support both sides. Of course, state-linked groups posing as hacktivists are also involved.  

A likely Iran-linked threat actor, Moses Staff, has reappeared on Twitter/X, posting in support of Hamas’s actions. While purporting to be a ransomware actor, the group has previously launched a number of destructive attacks against Israeli organisations.

On the Israel-supporting side, Predatory Sparrow has posted on Twitter/X "we are back". This group is responsible for some spectacularly successful attacks in Iran, including one that dropped molten steel all over a factory floor. Other attacks have affected Iran’s train services and its fuel subsidy system. 

These operations were professionally executed and Predatory Sparrow also takes extensive steps to illustrate that it is conducting 'responsible' destructive cyber operations. In these attacks, for example, they've issued prior warnings to minimise collateral damage and prevent people from being physically hurt. (For more information see this newsletter's previous coverage and my discussion with The Grugq covering Predatory Sparrow).

We are sceptical about the value of genuine (i.e. not linked to a state) hacktivist operations, mostly because they could interfere with intelligence collection operations established to inform state actions that have far greater impact on events. Governments need to think about managing or shaping civilian hacktivist actions during conflict to minimise interference with their own cyber operations.

The role of cyber operations during conflict and the obligations on states to restrain hacktivism has drawn the attention of high profile legal specialists. Writing in a blog associated with the European Journal of International Law, two lawyers recently published eight rules for civilian hackers, and four obligations on states to restrain them. The eight rules for hackers are:

1. Do not direct cyber attacks against civilian objects.

2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.

3. When planning a cyber attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians.

4. Do not conduct any cyber operation against medical and humanitarian facilities.

5. Do not conduct any cyber attack against objects indispensable to the survival of the population or that can release dangerous forces.

6. Do not make threats of violence to spread terror among the civilian population.

7. Do not incite violations of international humanitarian law.

8. Comply with these rules even if the enemy does not.

These rules and the obligations on states are essentially an extension of the fundamental principles of International Humanitarian Law (IHL, or the Rules of War), and try to ensure cyber hacktivism avoids harming civilians as much as possible.

It's easy to be cynical about these rules, especially when participants engaged in real-world conflict are not observing IHL. It is hard to see that civilian hacktivists motivated by righteous fury will restrain themselves when atrocities are being committed. 

For now, however, actors with the skills and resources to cause the most damage (such as Predatory Sparrow) are associated with states. International law may make a difference to these groups. After all, the whole point of IHL is to at least try to make war a little bit less horrible, even if it is not always successful. 

EU Needs to Grow a Spine on Spyware 

A new investigation has found that EU-based spyware firms have sold their products to authoritarian governments and these products have been used to target European, US and UN government officials.

The investigation, reported under the name 'The Predator Files', is a collaboration between the European Investigative Collaborations (EIC) media network and Amnesty International. 

Amnesty International's Security Lab provided technical assistance to the investigation and produced a technical report focused on the Intellexa alliance and its Predator spyware. The Intellexa alliance is a collection of spyware and intelligence companies that appear to have corporate links or share common ownership. 

Amnesty documents a particular Predator campaign that appears to be Vietnam-linked and conducted targeting over X (formerly Twitter). In this case, malicious Predator infection links were sent in replies to targets from the @Joseph_Gordon16 Twitter/X account. 

This public targeting provided Amnesty's Security Lab with insight into the Predator operator's goals. Its report says:

The targets selected by this account included journalists, academic researchers working on security issues in the South China Sea and Vietnam, as well as senior political officials in the EU, US, and elsewhere, involved in work related to international fishing regulation, an issue of interest to the Vietnamese authorities

The accounts targeted include various European Commission officials, the German Ambassador to the US, Taiwanese President Tsai Ing-Wen, the Taiwanese Ministry of Foreign Affairs, and a Berlin-based media website covering news about Vietnam. The @Joseph_Gordon16-associated infection attempts documented by Amnesty International occurred from February through June this year. 

Assuming the operators are linked to the Vietnamese government, at a big-picture level this targeting itself seems fair enough, as it is the sort of espionage that Western governments consider legitimate.

The way it was carried out though—replying with malicious links on Twitter—is pretty crude. Presumably this technique works sometimes, but it's not very specific. 

Relatedly, Amnesty found that four US congresspeople were targeted, although perhaps not intentionally. Two of the four, US Senator John Hoeven and Representative Michael McCaul were separately tagged in a tweet from President Tsai Ing-Wen and one from the Taiwanese Ministry of Foreign Affairs respectively. The Predator campaign operator replied with malicious links to the original tweet without removing tags to Hoeven and McCaul, so perhaps they weren't the intended targets. The report isn't explicit about whether the other two US congresspersons involved, Senators Chris Murphy and Gary Peters, were directly targeted, although it was in a tweet that also referenced an Albanian parliamentarian.

From a European perspective, however, the use of Predator in this campaign is outrageous and notionally European companies are selling spyware which is then used to target European and allied politicians. Predator was also used in last year's Greek spyware scandal, where it was deployed for political purposes and used on journalists, activists, opposition political figures and even government cabinet members.    

Sales of systems like Predator outside the EU are theoretically subject to export controls but Intellexa has been skirting these regulations by selling via an Intellexa entity in the United Arab Emirates. Amnesty International's report describes this as an EU and member state regulatory failure, and they are not wrong. 

The US government has already acted against Intellexa. In July this year it put Intellexa and Cytrox, the Intellexa alliance firm that originally developed Predator spyware, on the US entity list. This prohibits US companies from doing business with them.

The Europeans need to grow a spine here. The European Parliament's PEGA Committee investigating the use of spyware has bemoaned the lack of political will to actually do anything about this problem. In its report to the parliament it concluded that:

…neither the Member States, nor the Council, nor the Commission seemed to be at all interested in maximising their efforts to fully investigate the spyware abuse, thus knowingly protecting Union governments which violate human rights within and outside of the Union.

Perhaps the targeting of EU officials and politicians will finally provide the incentive to act. But we can only hope.

The Chinese Spies Are In The Mail

According to The Financial Times, Belgian intelligence is concerned that a Chinese logistics company that has a large presence in Liège could be used for espionage.  

Cainiao, the logistics arm of Chinese giant Alibaba, runs a large logistics hub at Belgium's Liège cargo airport. The Belgian State Security Service (VSSE) fears that information from the logistics hub could be provided to the Chinese government to give them insights into supply chains and potential vulnerabilities. 

There certainly are reasons to be concerned and we've argued in the past that "Chinese firms are so closely interlinked with the Chinese government that they cannot be trusted in critical infrastructure". 

The Financial Times writes that "Cainiao is able to access data about merchants, products, transport details and flows, said a person familiar with its IT systems", which sounds concerning. However, it also states that the logistics centre in Liège "mainly handles goods sold directly to European consumers through the online shopping site AliExpress". 

So the magnitude of the risk here really depends upon whether Cianiao has access to data about other logistics shipments, not just its own. If it can only see its own shipments, we don't see that Cianiao's presence in Belgium is really an additional espionage risk, since a Chinese Alibaba group company already knows all about the shipments anyway.

Still, and we've made this point before, it's the PRC's own actions that make it difficult for its companies to be trusted overseas. There are genuine reasons to be concerned. 

Three Reasons to Be Cheerful this Week:

1. Google makes passkeys default sign-in: Google has made passkeys the default way to sign in to accounts as of Tuesday this week. 

2. VBScript on the way out: Microsoft has announced it will remove VBscript from future versions of Windows, although it will be available as a "Feature On Demand" if it is needed. VBScript has been part of the Windows operating system since 1998 and has been a popular tool amongst malware developers. Risky Business News has more in-depth coverage. 

3. Clouds mandate more MFA: AWS announced that accounts with the highest privileges will be required to use Multi Factor Authentication from mid-2024. Google subsequently told Cybersecurity Dive it would impose the same requirement before the end of this year. 

Sponsor Section

In this Risky Business News sponsor interview Tom Uren asks Martin Cannard, VP of Product Strategy at Netwrix, how privileged access management can help defend organisations. 'Advanced Persistent Teenagers' regularly use social engineering techniques to compromise highly privileged accounts, but that doesn't mean it's instantly game over.

Shorts

This Robot Will Seduce and Rob You

Researchers at cyber security firm Avast have produced a report looking at how ChatGPT is being used in a dating platform scam.

The tool has been around for at least a decade, but the incorporation of ChatGPT led the researchers to call it LoveGPT. The tool is quite sophisticated and automates the creation of fake profiles and harvests data across 13 dating platforms. ChatGPT functionality is used in creating description text in fake profiles, reading and replying to messages and asking for phone numbers. 

The Record has more comprehensive coverage. 

Crypto Theft Wrapped in Fraud, Surrounded by Incompetence

Wired has a tremendously entertaining story about the shenanigans at the FTX crypto exchange on the day it declared bankruptcy and a thief stole over USD$400m worth of cryptocurrency.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the potential for a cyber criminal match made in hell between ransomware actors and BEC scammers.

From Risky Biz News:

Tech companies and security firms rally against EU vulnerability disclosure rules: A group of more than 50 tech experts and organizations have signed an open letter asking EU officials to rethink Article 11of the upcoming EU Cyber Resilience Act.

The article introduces a mandatory requirement for all software vendors to disclose vulnerabilities to the ENISA, the EU's cybersecurity agency, within 24 hours of becoming aware of in-the-wild exploitation. ENISA will then relay this information to national CSIRT teams and stock market watchdogs across its member states.

The open letter's signatories argue that the CRA's Article 11—in its current form, at least—greatly expands the number of organisations that will have first-hand and real-time immediate knowledge of actively exploited vulnerabilities, which, in turn, increases the risks to product vendors, their customers, and the general public.

[more on Risky Business News]

Human-operated ransomware attacks double in a year: The number of human-operated ransomware attacks has more than doubled over the past year, Microsoft said in its yearly Digital Defense Report.

The term "human-operated ransomware" refers to certain intrusions where the ransomware is deployed manually rather than using automated scripts.

[much more on Risky Business News, including that the number of ransomware incidents has returned to 'normal' after the initial disruption of the Russian invasion of Ukraine and how in more than half of ransomware incidents file encryption is deployed within a day of initial access.] 

DPRK operations: Google's Mandiant division has published an updated guide to understanding North Korea's APT and cyber operations, complete with an updated organisational chart. The report's main findings are that DPRK groups now increasingly share resources and temporarily collaborate on operations, making exact attribution extremely difficult.

Malware infrastructure overlaps indicating resources and attribution muddled by shifting assignments show how DPRK cyber operations are changing. However, operations conducted to fulfil regime requirements remain steadfast and we believe they will continue. While defenders may not be able to easily sort new DPRK activity into a previously identified bucket, the malware reuse and shared resources creates opportunities for detection and country level attribution.

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts: 

The US National Security Agency (NSA) is creating a new Artificial Intelligence Security Center to develop secure AI for use in defence and national security. The Center will also work to maintain the US's AI advantage by protecting against intellectual property (IP) theft.

The Director of NSA and US Cyber Command, General Paul Nakasone, announced the creation of the new centre in a speech at the National Press Club in Washington DC. 

In his speech Nakasone pithily described AI security as "about protecting AI systems from learning, doing and revealing the wrong thing", before listing some goals of the new centre:

The AI Security Centre will become NSA's focal point for leveraging foreign intelligence insights, contributing to the development of best practices, guidelines, principles, evaluation methodology and risk frameworks for AI security. With an end goal of promoting the secure development, integration and adoption of AI capabilities within our national security systems and our defence industrial base. 

The AI Security Center will also help industry understand the threats against their intellectual property and collaborate to help prevent and eradicate threats. 

The AI Security Center will work closely with US industry, national labs, academia, across the IC and Department of Defense and select foreign partners.

In other words, helping develop secure AI that contributes to national security, while stopping other countries stealing the technology (looking at you, China). 

What Nakasone has announced seems fair enough. Bringing the NSA's AI efforts together in a place where the organisation can more easily collaborate with external partners is a good move.

We also agree with Nakasone that AI security is "principally a cyber security responsibility". Making AI secure may require new tools and techniques, but traditional cyber security  methodologies and thought processes will be transferable when developing AI security frameworks. 

The assumption underpinning the launch of the AI Security Center is that AI will transform defence, national security and other industries and sectors. But Nakasone isn't blinded by AI hype and his action in creating the centre is informed by NSA's homework on the field. In early September Nakasone revealed that the NSA had recently developed a roadmap sketching out how the organisation could take advantage of AI. 

Speaking at the Billington Cybersecurity Summit, Nakasone said NSA already used AI, "primarily within our signals intelligence mission", and the roadmap had also looked at potential uses within its cyber security mission. And the NSA found these technologies could have "tremendous impact" on the agency's business functions such as compliance and HR, for example. 

Governments worldwide are concerned about AI and it regularly appears on lists of critical technologies, including those kept by governments in the UK and Australia. There are also reasons to be particularly concerned about AI. Just this week, the European Commission formally identified AI as one of four technology areas that were not only critical for economic security but were also particularly 'risky'.

The Commission identified AI, advanced semiconductors, biotechnology and quantum technology as particularly concerning, because they are 'dual-use', meaning they could be used for civil and military applications and to undermine or violate human rights.

So Nakasone is doing what he can to make NSA's efforts to protect AI in defence and national security as effective as possible. That's good, and the NSA is well placed to contribute to the US government's broader strategic goals of safe and secure AI.  

There's more that can be done here, though, outside Nakasone's purview. 

When it comes to protecting AI IP, for example, the NSA is well placed to provide advice and even prevent cyber espionage. However, the PRC doesn't restrict itself to just cyber-enabled IP theft and has a holistic approach to acquiring IP that includes both human and cyber espionage. So how is the US addressing threats like insider risk and traditional person-based espionage in an AI IP context?  

It'd be a real shame if the US AI advantage is stolen by people rather than by packets.  

Subscribe now

Rich Pickings at the Network Edge 

A Mandiant report released this week found that 62% of exploited-in-the-wild vulnerabilities are 0days and the remaining 38% are exploited after public disclosure. It also found that the percentage of vulnerabilities attributable to Microsoft, Apple and Google has declined to less than half the total.

Mandiant observes a consistent decrease in what it calls the "time-to-exploit" (TTE), the "time taken to exploit them either prior to or after public disclosure". However, we have a problem with this metric as described in the report, as it combines 0days, which by definition should have a negative TTE (?), with n-days, which have a positive TTE. 

The report says that average TTE has declined over the last several years but then also notes that "n-day exploitation timelines may have grown slightly". Wut.

There may be a reason to combine 0days and n-days in this way, but we are not seeing it. 

Moving beyond this gripe, the report identifies a consistent trend in the percentage of vulnerabilities found in the top three vendors (Microsoft, Apple and Google) declining over time. Over the last few years less than half the vulnerabilities discovered originate from the three organisations.

The flipside of this is the targeted exploitation of internet-facing enterprise products that often have broad visibility into a network and/or administrative privileges. These include VPN devices, firewalls, and other products from vendors such as Fortinet, Citrix, PulseSecure, Cisco and others.

The sterling example of this (if sterling was horrible) is the Cl0p ransomware gang’s sustained targeting of enterprise file transfer systems. Since 2020 it has launched sequential campaigns against Accellion's File Transfer Appliance, Fortra's GoAnywhere Managed File Transfer product and Progress Software's MOVEit file transfer software. Just this week we saw exploitation kick off against another Progress Software product, WS_FTP. (Risky Business News has more coverage).

In terms of victims affected, Cl0p's MOVEit campaign is perhaps the largest of all time. Cybersecurity firm EMSISOFT has found that 2,309 organisations and 62 million individuals have been affected by the campaign. It's also been lucrative for Cl0p. Ransomware incident response firm Coveware estimates that the gang may earn from USD75m to 100m from the MOVEit campaign alone.

Cl0p has shown that there is gold in exploiting enterprise software, so we expect that threat actors will continue to focus on enterprise network edge devices.

Three Reasons to Be Cheerful this Week:

1. SEC rule changes encourage cyber security strengthening: A poll of publicly traded companies has found that nearly two-thirds of them are strengthening their cyber security programs in the wake of changes to SEC disclosure rules.  

2. Strengthened anti-spam email protections: Google has announced it will tighten its requirements for "bulk senders" of email, including requiring them to use SPF/DKIM and DMARC email authentication protocols and enable recipients to unsubscribe with a single click.  

3. Pig butchering ring busted: Thai police, with help from the US Department of Homeland Security and cryptocurrency exchange Binance, have disrupted a 'pig butchering' criminal group. The Thai police's Cyber Crime Investigation Bureau seized assets worth USD$277m, including luxury cars and real estate. Over 3,200 victims have come forward seeking compensation. 

Sponsor Section

In this sponsored podcast Proofpoint’s Selena Larson talks with Tom Uren about recent changes in the e-crime ecosystem.

Shorts

Counting the Cost of Microsoft's Storm-0558 Hack

Reuters reports that the hack of Microsoft's email services resulted in the theft of 60,000 emails from 10 State Department accounts by a Chinese state-linked threat actor known as Storm-0558. Around 25 organisations were affected but it hasn't been reported what the group took from the other victims. 

AWS Talks Honeypots

Amazon Web Services has published a piece describing its "MadPot" honeypot system and it contains some interesting nuggets. When a new MadPot sensor is created it is typically discovered by internet scanning probes within 90 seconds. On average, it only takes three minutes after discovery before attempts are made to penetrate and exploit it, even though, in the words of the post, "these workloads aren’t advertised or part of other visible systems that would be obvious to threat actors". 

The post also describes how MadPot was used to identify activity by Volt Typhoon, a state-sponsored China-based actor that has targeted critical infrastructure. Even though the group used relatively stealthy 'living off the land' techniques, the MadPot system had captured data on a Volt Typhoon payload containing a unique signature. MadPot historical data was queried with this signature to identify other IP addresses that Volt Typhoon had used and correlate activity that would otherwise appear to be unrelated.

From Timbuktu to Tokyo

US and Japanese authorities have warned that China-linked cyber actors are compromising international subsidiaries of US and Japanese companies as beachheads to target the companies’ headquarters.

The threat actors gain administrative access to Cisco routers at the subsidiary firms and then install custom malicious firmware. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at whether offensive cyber operations against ransomware groups have succeeded or failed.

From Risky Biz News:

Ransomware gangs hit TeamCity and WS_FTP servers: Ransomware groups are exploiting recently disclosed vulnerabilities in TeamCity and WS_FTP servers to breach corporate networks and ransom organisations.

The attacks are exploiting CVE-2023-42793 and CVE-2023-40044.

The first is an authentication bypass and RCE vulnerability that can allow threat actors to take full control of JetBrains TeamCity CI/CD servers. Once on the development pipeline, threat actors can pivot to other resources on a company's internal or cloud network, from where ransomware gangs can do extensive damage.

The second is a remote code execution in WS_FTP, a file-transfer application developed by Progress Software—the same company that also made the MOVEit file-sharing server, heavily exploited by the Clop gang earlier this year in hacks that impacted more than 2,000 organisations. This bug is particularly nasty because it can be exploited with one HTTPS POST request.

[more on Risky Business News]

Disclosure snafu delays critical Exim patch more than a year: A critical vulnerability impacting more than 3.5 million Exim email servers has remained unpatched for more than 15 months in one of the most egregious instances of vulnerability disclosure snafus in recent history.

Tracked as CVE-2023-42115, the vulnerability is a no-authentication remote code execution with a severity rating of 9.8/10.

[more on Risky Business News, including an explanation of how it is hard to blame any of the parties involved even though it is still a huge cluster]

Chinese APT hacks subsidiaries, pivots to corporate headquarters: Cybersecurity agencies from Japan and the US have issued a joint security  advisory about a Chinese APT group that is hacking the overseas subsidiaries of US and Japanese companies and then pivoting to their corporate headquarters.

Known as BlackTech (Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda), the group targets internet-facing routers as their entry point into victim networks.

To maintain access, the group hot-patches the router firmware with a modified version that bypasses security features and contains a built-in SSH backdoor to maintain future access.

[more on Risky Business News]

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

Teenage hackers have breached systems at Caesars Entertainment and MGM Resorts International, two large US resort, entertainment and gaming companies. These incidents showcase how hacking groups comprising young people using Lapsus$-style techniques are becoming one of the greatest cyber security threats to organisations. 

Both hacks had significant impact.

Caesars Entertainment reportedly paid a ransom of USD$15m after the group stole personal information from its loyalty program database, including driver licence and social security numbers. The organisation’s SEC filing uses a form of words that we suspect will become standard when paying a data extortion ransom:

We have taken steps to ensure that the stolen data is deleted by the unauthorised actor, although we cannot guarantee this result. 

In some respects, Caesars Entertainment got off lightly because it experienced very little business downtime. 

By contrast, MGM Resorts, Nevada’s largest employer and operator of the most casinos on the Las Vegas Strip, suffered a series of crippling outages. These included doors and elevators not working, ATMs and its website going down, credit card payment facilities being unavailable and guests being unable to use their room keycards.

Media reporting and a statement from the ALPHV ransomware group said much of this disruption was caused by MGM Resorts’ own attempts to limit further compromise by preemptively shutting down systems. 

Various media reports attribute these recent incidents to threat actors variously known as Scattered Spider, Muddled Libra, and UNC3944. The parties involved appear to be working with the ALPHV ransomware group.

These actors appear to be responsible for lots of incidents. Crowdstrike told Reuters it attributed 52 attacks globally to Scattered Spider since March 2022. (Scattered Spider is Crowdstrike's name). Similarly, Mandiant told Reuters that it attributed 100 intrusions in the last two years to UNC3944 (Mandiant's name). Mandiant's report on the 'threat cluster', released just over two weeks ago, says that UNC3944's targeting has expanded to "a wide range of industries including hospitality, retail, media and entertainment, and financial services".  

Interesting reporting from CyberScoop attributes these recent breaches to multiple subsets of actors that have sprung out of an online community calling itself "the Com", as opposed to a single group with a fixed membership. The Com appears to be particularly nasty. Per CyberScoop:

The FBI has been involved in multiple investigations involving people associated with the Com for alleged violent activity, Vice reported in May. In a May 2023 affidavit, an FBI agent described the Com as a "group of cyber-criminal actors" that is "geographically diverse" and organises in various subgroups to "engage in various types of criminal activity to include cyber intrusions, SIM swapping, cryptocurrency theft, commissioning real life violence, and Swatting," the practice of sending armed emergency response teams to a victim’s location under false pretences.

The Com ecosystem also had links to the Lapsus$ group, a loosely affiliated group of teenage hackers that was so outrageously successful that it was the subject of a Cyber Safety Review Board (CSRB) report released late last month.

Mandiant's report into the tactics used by UNC3944 describes brutally efficient operations:

UNC3944 relies heavily on social engineering to obtain initial access to its victims. They frequently use SMS phishing campaigns and calls to victim help desks to attempt to obtain password resets or multifactor bypass codes.

The threat actors used commercial residential proxy services to access their victims from the same local area to fly under the radar of security monitoring tools.

The threat actors consistently use legitimate software, including a variety of remote access tools the actors have downloaded from the vendor websites.

The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data over a course of a few days. The tempo and volume of systems UNC3944 accesses can overwhelm security response teams.

Once obtaining a foothold, UNC3944 often spends significant time searching through internal documentation, resources, and internal chat logs to surface information that could help facilitate escalating privileges and maintaining presence within victim environments.

UNC3944 often achieves privilege escalation by targeting password managers or privileged access management systems.

These recent incidents show that Lapsus$ wasn't a flash in the pan. Instead, it represented a breakthrough in the techniques threat actors use to overcome standard cyber security practices. These practices are no longer fit for purpose. 

For example, attackers used the "Bring Your Own Identity Provider" method we wrote about earlier this month in the MGM Resorts incident. In this attack, the Com hackers acquired Okta Super Administrator account credentials (probably by phishing) and then convinced the MGM Resorts help desk to reset Multi-Factor Authentication (MFA) options. The attackers then used legitimate functionality to enable further follow-on actions. 

One policy that would have stopped this attack would be to prevent help desk staff from resetting Super Administrator MFA. This seems blindingly obvious in retrospect, but hadn't previously been a widely exploited loophole. 

And although Lapsus$ itself was bad enough, teenage hackers’ collaboration with global ransomware crews is even more worrying. While several individuals involved in Lapsus$ have been arrested and the authorities are pursuing the MGM Resorts and Caesars Entertainment attackers, we don’t think this will deter other teenage hackers. Part of the CSRB's Lapsus$ report dealt with juvenile cybercrime prevention programs, which certainly seem like a good idea but won't yield any immediate benefits. 

Our advice is to (re-)read the Lapsus$ report and harden your identity procedures and policies.

Subscribe now

Russia Drops the Cyber Hammer for the Sickle

Ukraine's cyber security organisation, the SSSCIP, has identified some new behaviour in its review of Russian cyber tactics over the first half of 2023.

One new trend is what the report describes as "sustained interest" in Ukrainian law enforcement agencies. The SSSCIP believes the goal here is to find out what evidence Ukraine has regarding Russian war crimes and also to understand what information Ukraine has about Russian spies operating in the country.

The report found Russia was more frequently directing cyber operations at the Ukrainian private sector to enhance the monitoring of the outcomes of its kinetic operations, including missile and drone attacks. 

This is in contrast to Russia's previous 'kitchen sink' approach of launching both destructive conventional and cyber attacks against critical infrastructure. There was also a shift to gathering intelligence about the Ukrainian supply chain. 

These are all more sensible uses of cyber operations and attempt to complement rather than duplicate other capabilities. 

Russian threat actors are also focusing on immediate data exfiltration, dumping as many as 21,000 documents and browser credentials within the first 30 minutes after gaining access. After stealing that data, they try to take advantage of established trust relationships by sending malware via email, for example. 

The SSSCIP believes this is because Ukrainian detection and response times have improved so much that the Russians don't have time for lateral movement before they are booted off networks. 

Another interesting aspect is the Russian focus on the media sector. This primarily targets  individuals and journalists and the SSSCIP says "the goal behind these attacks is to gain control over media resources and accounts, intending to employ them for disinformation campaigns and influence operations". 

The report highlights a number of other trends, including more phishing attacks, less malware, more 'living off the land' (abusing legitimate tools already present in the host environment), ongoing targeting of email servers and revisiting previous victims. 

Microsoft Security Culture… Still Sucks

The week after we wrote that Microsoft's security culture isn't up to scratch, cloud security firm Wiz discovered a 38TB data leak from the company. 

The leak happened because of a misconfigured Azure Shared Access Signature (SAS) token. Mistakes happen, but the architectural decisions here are mind-blowing. Per Wiz's blog:

Generating an Account SAS is a simple process… [T]he user configures the token’s scope, permissions, and expiry date, and generates the token. Behind the scenes, the browser downloads the account key from Azure, and signs the generated token with the key. This entire process is done on the client side; it’s not an Azure event, and the resulting token is not an Azure object. 

Because of this, when a user creates a highly-permissive non-expiring token, there is no way for an administrator to know this token exists and where it circulates. Revoking a token is no easy task either — it requires rotating the account key that signed the token, rendering all other tokens signed by the same key ineffective as well. These unique pitfalls make this service an easy target for attackers looking for exposed data. 

Besides the risk of accidental exposure, the service’s pitfalls make it an effective tool for attackers seeking to maintain persistency on compromised storage accounts. A recent Microsoft report indicates that attackers are taking advantage of the service’s lack of monitoring capabilities in order to issue privileged SAS tokens as a backdoor. Since the issuance of the token is not documented anywhere, there is no way to know that it was issued and act against it.  

Yikes. Patrick, Adam and guest Lina Lau discussed this on last week's Risky Business podcast.

Three Reasons to be Cheerful this Week:

1. Regional effort to tackle Asian scam networks: China, the United Nations, and ASEAN are joining forces to crack down on cyber-enabled scams including what is known as 'pig butchering'. [Additional coverage in the South China Morning Post]

2. Hunt Forward the new norm: The UK government has admitted that it too conducts "hunt forward" operations. These are operations that find and disrupt adversary activity on partner networks and were pioneered by US Cyber Command. The Record has an interview with Lt. Gen. Tom Copinger-Symes, deputy commander of the UK's Strategic Command about the UK's hunt forward and other cyber operations.

3. Blocking outbound NTLM hashes: Microsoft has announced that Windows 11 will soon block sending of NTLM over remote outbound connections. This should block remote attackers from tricking Server Message Block (SMB) clients into sending them a relatively easy to crack NTLM authentication hash. 

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Stairwell Principal Reverse Engineer Silas Cutler about Akira's recent server leak and attacker infrastructure.

Shorts

Deduplicating Cyber Incident Reporting

The Record has a good account of a US Department of Homeland Security (DHS) document released last week on harmonising cyber incident reporting to the federal government. Already there are 45 cyber incident reporting requirements across 22 federal agencies, with more proposed, yet some of the requirements are just duplicates of others rather than  providing more necessary information. 

The document pretty sensibly suggests rationalising these requirements and having clear and shared definitions for timelines and triggers. It suggests that a single incident reporting portal could be developed. Pretty sensible stuff. 

Reducing Hardware Supply Chain Risk

The US Cybersecurity and Infrastructure Security Agency released its first version of the Hardware Bill of Materials (HBOM) framework. It's meant to mitigate supply chain risks for hardware products. Risky Business News has more coverage.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq examine how US and UK strategies to use cyber power differ but are in some ways mirror images of each other.

From Risky Biz News:

China admits NSA hacked Huawei: China's Ministry of State Security (MSS) published an extremely rare official statement on its WeChat account last week formally accusing the US National Security Agency of hacking and maintaining access to servers at Huawei's headquarters since 2009.

The statement is the first time the Chinese government has confirmed the NSA's Huawei hack—first reported by the New York Times and Der Spiegel back in 2014.

The MSS statement doesn't go into any technical details about the actual hacking but merely recycles information from the NYT and Spiegel reports and the Snowden leaks. It does, instead, spend a lot of time accusing the US of using (and I kid you not) "the despicable tactics of the 'Matrix' to maintain a 'cyber hegemony'."

[more on Risky Business News]

Lazarus steals $54 million from CoinEx crypto-exchange: North Korean hackers known as the Lazarus Group have stolen $54 million from the CoinEx cryptocurrency exchange.

The hack took place on Tuesday, September 12. In a statement, CoinEx said the hackers identified a leak of some of its private keys and used them to steal Ether, Tron, and Matic assets from some of the company's hot wallets.

The company didn't formally link the hack to North Korea, but a blockchain investigator named ZachXBT found that some of CoinEx's stolen funds were sent to the same address that is storing funds stolen from the recent hack of the Stake.com crypto-gambling site.

[more on Risky Business News]

FSB agent detained: Russian authorities have arrested an FSB officer from the city of Perm for taking a bribe from a hacking group to arrange their release from prison and dismissal of their criminal case. The bribe was 100 million rubles, representing more than $1 million. The officer was detained in April this year, and his detention has been extended until November. The name of the criminal gang who paid the bribe is unknown. The gang was detained in February 2022, and it is not related to the REvil and Infraud arrests that took place at the time (likely related to this US case). [h/t Oleg Shakirov; Additional coverage in Kommersant]

Subscribe now

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Spotify:

Last week, Microsoft released its latest report into how its services were compromised by a China-based actor it called Storm-0558. It's an eye opening document that raises some red flags about Microsoft's security culture.

To summarise the incident briefly, Storm-0558 used a Microsoft Account (MSA) signing key to gain access to the email accounts of individuals in businesses and in government departments including the US Department of State and the US Department of Commerce. For several reasons this hack should not have worked, yet Storm-0558 was able to take advantage of multiple flaws in Microsoft processes to achieve its objectives.

From the perspective of someone who has worked in high-security environments, some of these flaws are absolutely bewildering. 

They raise serious concerns about the way Microsoft approaches security.  

For example, in this incident an MSA consumer key was able to access enterprise accounts. This is explained in Microsoft's report:

To meet growing customer demand to support applications which work with both consumer and enterprise applications, Microsoft introduced a common key metadata publishing endpoint in September 2018. As part of this converged offering, Microsoft updated documentation to clarify the requirements for key scope validation – which key to use for enterprise accounts, and which to use for consumer accounts.  

As part of a pre-existing library of documentation and helper APIs, Microsoft provided an API to help validate the signatures cryptographically but did not update these libraries to perform this scope validation automatically (this issue has been corrected). The mail systems were updated to use the common metadata endpoint in 2022. Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation. Thus, the mail system would accept a request for enterprise email using a security token signed with the consumer key (this issue has been corrected using the updated libraries).  

Microsoft combined two systems that had been logically separated, but apparently it never occurred to anyone involved in the process that in doing so, they should update the software libraries to enforce access boundaries. In a security-conscious organisation this change in architecture would be identified as a potential security risk very early in the process and mitigations developed, implemented, and tested. 

As it was… it appears that everyone thought enforcing security boundaries was someone else's job and so nothing happened.

Additionally, the purloined key notionally expired in April 2021 but was successfully used by Storm-0558 in 2023. Microsoft systems weren't enforcing key expiration dates because… why? No one thought to confirm that keys expired in practice?

My former colleague at ASD, Vaughan Shanks, CEO of Cydarm and a computer scientist who has worked at both ASD and NSA, described these lapses as "flabbergasting". 

Shanks also pointed to Microsoft's handling of crash dumps in this incident as an indicator of a lax security culture. 

In this compromise, Microsoft believes the key in question was stolen when a consumer signing system crashed in April 2021. Following Microsoft's "standard debugging process" this crash dump was transferred from the company's hardened production environment to the company's debugging system on its corporate network. 

Sometime after April 2021, Storm-0558 compromised a Microsoft engineer’s corporate account with access to the debugging environment. Microsoft thinks the "most probable" way Storm-0558 obtained the key is by grabbing this crash dump, although the company doesn't have logs with specific evidence of the data being taken because of its log deletion policy.

Microsoft had several independent measures in place that should have prevented the key from ending up on its corporate network. These measures — redacting keys from crash dumps and subsequently scanning for key material and credentials at different points in processing — all failed. Microsoft says that all these technical issues have been fixed, but the broader problem here is that Microsoft prioritised convenience over security. 

That may be OK for some Microsoft systems, but when dealing with the keys to the kingdom why take risks that will not just bite you, but take a huge chunk out of your ass if they are realised?

"If you are dealing with the fundamental root of trust", Shanks says, "you should probably accept that you need to work in a windowless basement without internet access". 

This isn't an isolated security gaffe and this newsletter has consistently lamented Microsoft's approach to security. The mistakes we've highlighted above — not ensuring scope is respected when systems are combined and treating crash dumps potentially containing signing keys with standard processes — aren't bizarre edge cases that could catch any organisation by surprise. These are decision-making failures that simply wouldn't happen in an organisation that actually cared about security. This breach didn't happen because of a series of amazing coincidences, it happened because Microsoft's security culture is not up to scratch.

UK Government Works Hand in Hand With... Itself

The UK's Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC) have signed a Memorandum of Understanding (MOU) that will get the two organisations working together to improve cyber security standards. 

Ultimately both organisations share broadly similar strategic goals–to protect the public and make the UK safer from cyber crime and data breaches. However, some functions and responsibilities the organisations have could discourage firms from engaging with them. For example, where the NCSC might help a firm with incident response, the ICO could potentially fine it for poor cyber security practice. 

The MOU is a formal attempt to maximise cooperation between the two bodies while minimising the fear that the NCSC might rat out an organisation to the ICO. The ICO's release directly addresses that particular fear, saying the MOU "reaffirms that the NCSC will never pass information shared with it in confidence by an organisation to the ICO". 

For its part, the ICO says it will encourage organisations to engage with the NCSC. In a sentence that would never be written outside government, the ICO says it "commits to exploring how it can transparently demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties". Translated from weasel words to English, this is (may be?) a promise to consider reducing fines for organisations that work with the NCSC.  

In May this year the NCSC and ICO issued a coordinated call for company transparency regarding cyber attacks, especially involving ransomware. They said they were "increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones". 

We don't think the MOU will actually change all that much about how the two organisations operate, but it gives them both a formal document they can point to to reassure victims that might otherwise hesitate to get in touch.  

DoD Cyber Strategy To Make Friends and Influence People 

The US Department of Defense (DoD) has released the unclassified summary of its 2023 cyber strategy and although it is pretty much what you'd expect, there are parts of the strategy we like. For example, the DoD does not think that cyber operations in isolation are all that useful. From the introduction: 

The Department's experiences have shown that cyber capabilities held in reserve or employed in isolation render little deterrent effect on their own. Instead, these military capabilities are most effective when used in concert with other instruments of national power, creating a deterrent greater than the sum of its parts. 

Happily, the department's goal to "disrupt and degrade malicious cyber actors" is framed quite broadly and includes "degrading [malicious actors’] supporting ecosystems". The DoD appears to be taking a supporting role here and the document speaks of "complement[ing] concurrent actions by the diplomatic, law enforcement, and intelligence communities, among others".

Another aspect of the strategy we like is that it describes allies and partners as a "force multiplier" and "a foundational strategic advantage for the United States". The strategy specifically mentions ‘hunt forward’ operations and technical collaboration with partners that can "illuminate malicious cyber activity on their networks". 

There is an opportunity here to win friends and influence non-aligned countries by exposing malicious activity coming from countries such as the PRC and Russia. It's one thing for a government to generally understand that cyber espionage goes on, it's another thing to know for sure that the PRC or Russia is actively hacking it. 

Three Reasons to be Cheerful this Week:

1. Free vulnerability scanning for US water utilities: The Cybersecurity and Infrastructure Security Agency (CISA) has announced it is opening up its Vulnerability Scanning (VS) service to US water and wastewater utilities. More coverage at Risky Business News. 

2. Real-time safe browsing for Chrome: Google is extending its Safe Browsing malicious link and file warning system to provide real-time protection for all Chrome users. Until now, Chrome had updated its list of malicious sites every 30 to 60 minutes, but Google says that nowadays 60% of phishing sites exist for less than 10 minutes. The firm says the new default won't share your browsing history with Google.

3. US and UK sanction 11 Trickbot members: The US and UK governments have imposed sanctions on and revealed the real-world identities of 11 members of the Trickbot cybercrime operation. The new sanctions come after both governments doxxed and sanctioned seven members earlier this year in February. Risky Business News has additional coverage. 

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Red Canary Principal Readiness Engineer Gerry Johansen about the need to prepare IR plans in advance and why that’s just as important as the IR playbook itself.

Shorts

Cyber War Crimes are Just War Crimes

The International Criminal Court's (ICC) Prosecutor, Karim A. A. Khan, has penned a pretty sensible article essentially saying that cyber operations are just another tool that can be used to commit war crimes. Therefore, these operations need to comply with International Humanitarian Law (i.e. the Rules of War) and be targeted, proportionate and necessary. This is consistent with our view that "cyber war crimes are not a thing". 

0Khan also notes that the ICC needs to improve its own security practices to defend because "disinformation, destruction, the alteration of data, and the leaking of confidential information may obstruct the administration of justice at the ICC". 

Russian Cyber Criminals Land In Turkey

The Financial Times reports that some Russian cybercriminals have moved to Turkey fearing that they would be conscripted into the war effort in Ukraine if they remained in Russia. 

In theory perhaps, a hacker's location shouldn't matter, but a Turkish police official told the Financial Times that the criminals avoid targeting Turks to avoid attracting the attention of local authorities. A local information security specialist told the Financial Times "Russian hackers taught their Turkish counterparts sophisticated code to collate the vast amounts of data being harvested, while the Turkish criminals leveraged their contacts in western Europe, especially Germany, to secure better prices for efficiently organised data sets".

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at how AI can turbocharge cyber scams.

From Risky Biz News:

Microsoft to phase out 3rd-party printer drivers for security reasons: Microsoft will phase out the use of third-party printer drivers in Windows in favor of a new and more secure interface.

"In the near future, Windows will default to a new print mode that disables 3rd party drivers for printing," said Microsoft security engineer Johnathan Norman.

"That new system will have quite a few big security improvements, which we plan to detail in a future blog post."

[more on Risky Business News]

US and UK dox and sanction 11 more Trickbot/Conti members. Charges included too: The US and UK governments have revealed the real-world identities and imposed sanctions on 11 additional members of the Trickbot/Conti cybercrime operation. The new sanctions come after both governments doxed and sanctioned seven members earlier this year in February.

All 18 sanctioned individuals are Russian nationals, and both US and UK officials said some of the group's key members "highly likely maintain links to the Russian Intelligence Services from whom they have likely received tasking," which explains why the Conti crew was one of the first cybercrime groups to come out and support Russia's invasion of Ukraine.

[more on Risky Business News, including a summary of the sanctioned individuals and their roles in the cybercrime groups]

Myanmar fraud crackdown: China's Ministry of Public Security (MPS) says it received 1,207 suspects from Myanmar law enforcement. The suspects were detained last week as part of a coordinated large-scale crackdown against scam call centres in Myanmar's northern regions. The suspects are accused of scamming Chinese citizens in telecom fraud and extortion schemes. A Chinese police report claimed that 95% of the Chinese nationals working in northern Myanmar call centres had gone there "voluntarily" after failing to find employment in China. Previous reporting on the topic and a UN report say the opposite, claiming that many are trafficked and forced to work in the call centres against their will.

Note: It's a complicated issue. The UN report also says:

In some cases, individuals may have understood that they were being recruited to conduct online fraud but were deceived as to the conditions — for example they were not aware that they would be detained in the compounds, under- or unpaid, subject to beatings and other forms of violence, or forced to pay a ransom in order to leave. 

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Spotify:

A harrowing new UN report describes how hundreds of thousands of trafficked people are forced into working in online scam operations.

These operations cover the gamut from online fraud such as romance scams and fake cryptocurrency investment schemes to illegal gambling. They take place in online scam centres known as "boiler rooms" or "pig-butchering farms".

The human toll is staggering. The report says that at least 120,000 people across Myanmar and 100,000 in Cambodia are thought to be forced to work on online scams. The report cites Myanmar's military coup, ongoing violence and breakdown in the rule of law as significant factors in the proliferation of boiler rooms in the country. 

The report describes the Philippines, Thailand and Laos as transit or destination countries "where at least tens of thousands of people" have been involved. Police operations in the Philippines rescued over 1,000 people in May of this year and another 2,700 people in June from this kind of forced labour. 

The workers are lured to the online scam centres by the promise of an attractive job with a high salary, regular bonuses, free accommodation and food. Unlike previously documented trafficking, which usually involved low-skilled work, the report says the profile of these victims is quite different:

Many of the victims are well-educated, sometimes coming from professional jobs or with graduate or even post-graduate degrees, computer-literate and multilingual. Victims come from across the ASEAN region (from Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam), as well as mainland China, Hong Kong and Taiwan, South Asia, and even further afield from Africa and Latin America.

Once they arrive at the country in which the online scam centre is located, these workers often have their passports taken and they are placed in gated compounds. They are forced to work by threat of force. Per the report:

Reports commonly describe people being subjected to torture, cruel and degrading treatment and punishments including the threat or use of violence (as well as being made to witness violence against others) most commonly beatings, humiliation, electrocution and solitary confinement, especially if they resist orders or disobey compound rules or if they do not meet expected scamming targets. Reports have also been received of sexual violence, including gang rape as well as trafficking into the sex sector, most usually as punishment, for example for failing to meet their targets.

Traffickers also levy debts on the migrants, claiming costs for travel, quarantine, training and living costs and also performance-related fines. 

The COVID-19 pandemic and associated response measures had a drastic impact on activities across the region. These events left large numbers of migrant workers unemployed and prompted people worldwide to spend more time online. This increased the pool of potential targets. 

The PRC in particular has been hard hit by these scams. Per Catalin Cimpanu at Risky Business News:

With a large portion of call centre workers being Chinese nationals, China has been one of the most impacted countries by the "boiler room" and "pig butchering" epidemic…

A Chinese film named "No More Bets" was this summer's highest-grossing movie on China's internal market. The film follows the adventures and inhumane treatment a Chinese programmer goes through after being lured to work for one of these call centres — showing how prevalent these scams and recruitment schemes have become across China.

In June this year China's ambassador to Myanmar asked the military junta to crack down on the online scam centres operating in Myanmar's north. Results include about 300 people in total being arrested in four different actions. 

These scams are thought to generate billions of dollars each year, and of course, the people who lose money to these scams are another set of victims. Many of the scams are long-term efforts that build rapport with a victim over time to encourage them to invest money in a non-existent asset. 

This is a complex problem, and the report recognises that weak rule of law, poor governance, corruption and the Covid-19 pandemic all play a part in the rise of the forced online scam issue.

There is an important role for internet companies to play here. As the report notes, "the prominent role of social media and other digital platforms is an inherent — and striking — feature of these online scam operations". Online platforms are used to both recruit unwitting workers and to cultivate targets.

The UN report names Boo, Facebook, Grindr, Hinge, Instagram, Lazada, Line, LinkedIn, Meet Me, Muslima, OkCupid, Omi, Shopee, Skout, Telegram, TikTok, Tinder, WeChat, WhatsApp, and Wink as the networks used by scammers to defraud people. It also says advertisements to recruit workers were placed on social media such as Facebook, Instagram and Tinder.  

We think governments should ask what these platforms can do to mitigate these crimes, both in worker recruitment and scams. Platform efforts won't solve this problem, but given its scale, even an incremental improvement could potentially stop thousands of people from being scammed or forced to work in an online scam centre.

Subscribe now

Telstra's Digicel Pacific Linked To Commercial Spy Operations

A Pacific Islands mobile phone operator, Digicel Pacific, has likely been used by commercial spy firms to track people and intercept their data. 

These particular attacks don't require Digicel's network, but instead rely on leasing the firm’s "global titles", a type of network address which these firms need to send and receive signalling protocol messages used to exploit loopholes in the global telecommunications system. These attacks can be used to locate phones and intercept calls or texts. Intercepting texts, like a SIM swap attack, can be used to facilitate account hijacking. 

Telstra, a major Australian telecommunications operator, bought Digicel Pacific in July 2022 with support from AUD$2 billion of Australian government financing. Part of the justification for this deal was to prevent the PRC from buying Digicel and using the telco to facilitate espionage in the region. 

Telstra says it has been terminating Digicel's global title leases, and that only a small number remain. Clamping down on these leases is a good thing, but surveillance operators will probably find other telcos they can obtain global titles from. A Lighthouse Reports investigation into a Swiss-based phone surveillance operator, for example, found that it had leased hundreds of global titles. 

This news highlights that, yes, telcos can be used to facilitate spying and that access to even just one part of a telco is useful. Access to all of a telco? Priceless.

Age Verification Could Drive Kids to Weirder Websites

A federal judge has ruled that a Texas law requiring pornography sites to implement age-verification measures was unconstitutional and temporarily blocked its implementation. 

Other states including Utah, Louisiana, Mississippi, Virginia and Utah have passed similar laws.

Age verification is a simple solution to a complex problem that may well have unintended consequences. This week, the Australian government also published a plan that said age verification technology was not yet fit for purpose.

The government's approach is informed by a "Roadmap for Verification" report produced by Australia's eSafety Office. The report examines the issue holistically and includes original research into when young people first encounter pornography. 

One of the more interesting findings is that children often see pornography in group chats and on social media, so dedicated sites are not the only concern when it comes to preventing underage access. It also points out there is a risk that mandatory age verification mechanisms could push children actively looking for porn towards sites that don't comply and may potentially contain riskier content. 

Overall, in the short term it recommends that government and industry provide more assistance to carers so they can apply "a combination of supervision, safety discussions and the use of filters, safety settings, and parental controls".

The report does not reject age-verification technologies outright but determines most are not yet ready for widespread use. However, the report considers newer privacy-preserving age-verification technologies may be suitable and recommends testing them to see if they'll work.

It's a good report and it's clear that the eSafety Office did their homework here — it's informed by nearly 380 pages of what the office calls a "background report".

Three Reasons to be Cheerful this Week:

1. More Cyber Opportunity: Craig Newmark Philanthropies has donated USD$200k to support a cybersecurity program at historically black colleges and universities. Newmark, the founder of Craigslist has over time committed USD$100m to various cyber security efforts.  

2. OT Adversary Emulation: CISA and nonprofit MITRE have teamed up to build Operational Technology (OT) capabilities into MITRE's adversary emulation Caldera platform. The goal with Caldera for OT is to give industrial control system defenders better tools to conduct security assessments. 

3. BGP resilience is improving: Network analytics firm Kentik reports that two recent Border Gateway Protocol (BGP) leaks didn't cause widespread disruption. Kentik's director of internet analysis, Doug Madory, thinks that increased use of Route Origin Validation technologies like Resource Public Key Infrastructure have made BGP more resilient. In times past "large routing leaks like these" might have caused widespread internet disruption, he says. However, he adds, although the global routing system has become more resilient there is still plenty of scope for deliberate attacks to succeed (see BGP-enabled cryptocurrency thefts, for example). 

Sponsor Section

In this Risky Business News sponsor interview, Tom Uren talks to Mike Fey, CEO and co-founder of Island, about the idea of an "enterprise browser." Tom and Mike discuss what an enterprise browser actually is, what problems it solves, and why browsers focused on business requirements haven't been a product category until now.

Shorts

Microsoft Figures Out Storm-0558 Key "Acquisition"

Microsoft has published the results of its investigation into how a Chinese-based threat actor known as Storm-0558 was able to acquire a Microsoft account consumer signing key and use it to access enterprise and government email accounts.

It's worth a read. The very high-level summary is that an incorrectly redacted crash dump containing the key was transferred from Microsoft's hardened production environment to its corporate network where it was snaffled by Storm-0558. 

Overall, Storm-0558 took advantage of a series of five different errors — which Microsoft says they've fixed — to use the key to get unauthorised access to email. It's top-notch work from Storm-0558 to seize on these mistakes and take advantage of them. 

LastPass Breach All About the Crypto

Krebs On Security has examined the possibility that password vaults stolen from LastPass last year are being cracked and used in a string of six-figure cryptocurrency thefts. 

Last year a threat actor carried out a multi-stage hack to get access to LastPass customer vaults. In the first step, in August last year, a threat actor gained access to LastPass's development environment by compromising an engineer's laptop. The information gained in that attack was then used to target a second engineer whose device was compromised via Plex Media Server. This second breach allowed the attacker to download LastPass customer vault backups from cloud storage. Secrets in these vaults were still protected by the customer's master password.

Since December 2022 there have been a string of cryptocurrency thefts linked by a common modus operandi. Collectively, 150 people have lost over USD$35m in cryptocurrency. One common factor linking these thefts is that the victims were using LastPass to store their "seed phrase", essentially the private key that controls the cryptocurrency.

The theory here is that the attackers have been cracking these vaults and then stealing cryptocurrency.  It's an enticing theory and Krebs' detective story is well worth reading.

US Number Two In Phishing

Krebs also has a piece up about the disproportionate use of the ".US" country code top-level domain (ccTLD) in phishing scams. .US is second only to Mali (.ML) in ccTLDs being used for phishing. 

In theory, to register a .US domain you need to have some sort of relationship with the US, such as being a citizen or resident. Other ccTLDs that restrict registrations based on nationality have very low phishing rates, so this measure should prevent phishing abuse. In practice, however, this requirement is 'satisfied' by simply ticking a (pre-filled) box on the registrar's sign up form.

Bring Your Own Identity Provider Attacks

Identity and access management company Okta says four of its customers had been affected by a recent social engineering campaign that aimed to gain control of highly privileged accounts. 

In this campaign the attackers tried to convince IT help desk personnel in the targeted company to reset MFA for their Okta Super Administrators. It appears the attackers already had account passwords or were somehow able to manipulate authentication flows so that they didn't need them for these purposes.

Super admins can't masquerade as other accounts, so the attackers then configured a second identity provider controlled by them. This is a legitimate feature used in mergers and acquisitions, for example, but allows impersonation of other users by the attackers in this case. This technique was used by Russian actors in the SolarWinds incident

Okta has a suite of recommendations on how to prevent these kinds of attacks and best protect highly privileged accounts. 

Patrick Gray and Adam Boileau discussed this topic in detail at the top of this week's Risky Business podcast. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at how companies often make unilateral decisions that constrain states’ behaviour, for better and worse. 

From Risky Biz News:

Germany warns of Chinese APTs hijacking SOHO routers for espionage: The German government says Chinese APTs are hijacking SOHO routers, NAS devices, and smart home automation systems to conduct cyber-espionage operations.

The hacked devices are used as a giant mesh of proxies that relay and hide the origin of the attack.

Chinese cyber-espionage groups like APT15 (Vixen Panda, Ke3chang) and APT31 (Zirconium, Judgement Panda) have been observed utilising the tactic, according to a security advisory published by the German Federal Office for the Protection of the Constitution (BfV) last week. A Google Translate machine-translated version of the alert is here.

[more on Risky Business News]

GREF (APT15): A Chinese cyber-espionage group known as GREF (APT15 or Vixen Panda) has planted trojaned versions of the Signal and Telegram apps on the official Google and Samsung app stores. The two apps contained functional versions of the two apps and a copy of the BadBazaar spyware. ESET says the trojaned Telegram app was advertised in a Uyghur Telegram group and that evidence suggests it was installed by more than 14,000 users. The GREF group has a long history of targeting China's Uyghur and Turkic ethnic minorities.

Chastity cage leak: A Chinese smart sex toy company has left one of its databases exposed online and has leaked information on customers who own its male chastity devices (aka penis cages). Exposed data included email addresses, plaintext passwords, home addresses, IP addresses, and even GPS coordinates for some users. The security researcher who found the database says they reported the leak to the company and China's CERT team in June, with little success. The researcher says they went as far as to deface the vendor's homepage to inform the company about its leaky database. The company restored its website but did not secure its database. [Additional coverage in TechCrunch]

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple Podcasts:

Fears that proposed amendments to the UK's Investigatory Powers Act will prevent vendors from issuing software updates are overblown.

Early last month the UK government opened a consultation period on proposed changes to its Investigatory Powers Act (IPA), the legislation that governs law enforcement and intelligence agencies’ use of intrusive investigatory powers such as telco-mediated lawful interception. 

The IPA has been in force since 2016 when it combined existing statutory powers granted to UK authorities into a single piece of legislation. It also strengthened approval and oversight processes, with use of the most intrusive powers requiring a 'double-lock' approval from a government minister and an independent judicial commissioner. 

One of the proposed changes to the IPA is that telecommunications operators be required to notify the Secretary of State of planned changes to their services that could negatively impact investigatory powers. (Telecommunications operators include anyone providing a telecommunications service in the UK, including apps like WhatsApp and Signal.) Per the consultation document:

This would be intended to facilitate early engagement between operators and the government so that, where necessary, appropriate steps can be taken in good time to ensure that any negative impact on investigatory powers is fully considered, and so that we can ensure continuity of lawful access to data against a background of changing technology.

Some commentators have suggested that this forewarning could be used with other IPA coercive powers to stymie security updates to messaging apps. The IPA already contains powerful provisions for the government to issue various notices that can compel operators to take particular actions. Probably the most extreme, National Security Notices (NSNs), requires that operators do anything that the Secretary of State considers "necessary in the interests of national security". 

Another proposed change to the IPA is to strengthen its extraterritorial provisions to make it clearer that overseas operators offering services in the UK cannot avoid obligations by using complex corporate structures. 

Commenting on the proposed new provisions in Just Security, Ioannis Kouvakas, Senior Legal Officer at Privacy International, writes:

While the proposal does not specify what technical changes would require notification, these may include changes in the architecture of software that would interfere with the U.K.’s current surveillance powers. As a result, an operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office know in advance. Device manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.

Kouvakas thinks that the extraterritorial provisions could breach international human rights. Stopping security updates worldwide, for example, might not be necessary or proportionate, he says.

Kouvakas is stretching here. For a start, one of the goals of the IPA is to ensure that intrusive powers are used proportionately and only when necessary. The safeguards here include the previously mentioned double-lock approval process and an independent commissioner who oversees operation of the Act.   

Speaking of the proposed notification obligation, the consultation document states "we fully acknowledge the need for strong safeguards that deliver the IPA's fundamental ​​principle of necessity and proportionality". It continues:

…we intend to develop a series of thresholds that would also trigger the notification requirement, for example, if a technical change could substantively impact existing IPA capabilities or the availability of communications and communications related data for a certain number of users or a certain percentage of the market. We welcome comments from respondents on this approach, including potential thresholds.

The thresholds cited here look to be much more about big picture architectural changes like the rollout of end-to-end encryption or switching from SMS to RCS, rather than the minutiae of security updates that are rolled out all the time. How would service providers know beforehand which security updates fix vulnerabilities that the government is currently exploiting? And how would they know whether that crossed any kind of threshold in terms of the number of affected users?

We think a more likely scenario is that a notification from a telecommunications operator about a significant upcoming change results in a back and forth discussion with the UK government about the implications for investigatory capabilities. This could ultimately result in some response that tries to maintain capability, such as an IPA Technical Capability Notice that requires the development of something that would allow the UK government to maintain the access it needs.

The proposed changes to the IPA are not about halting security patches—they’re about being better prepared for the future when an operator plans to flip an important switch.   

More on China's Barracuda Exploitation. A Lot More. 

Mandiant has published more details about a "Chinese-nexus" espionage group that engaged in an extensive campaign that compromised Barracuda Email Security Gateways (ESG). Back in June we described this campaign as "just plain rude":

The polite thing to do when your APT operation is discovered by your adversaries is to pack up, go home, and ready your next campaign. What you shouldn't do is escalate in response to discovery, dig in, and turn thousands of expensive email gateway appliances into boat anchors.

But this is exactly what a Chinese APT group did in response to one of its recent campaigns being rumbled.

Mandiant thought the group, which it called UNC4841, was engaged in fairly targeted espionage and was prepared from the get go to dig in when it was discovered. 

The report provides an exhaustive timeline of the group's Barracuda exploitation activity in a nice chart (below) that plots group activity and the cumulative number of victims compromised over time. The chart illustrates that once Barracuda discovered the campaign and issued remediation advice, there was a lot of activity from UNC4841, but not many new victims were compromised. 

This activity involved maintaining access by deploying additional malware or moving laterally. In its first post describing this campaign, Mandiant detailed various persistence mechanisms used by UNC4841. This new report describes a "second wave" of new malware families also used in an attempt to maintain persistence. 

Despite this, the campaign was relatively targeted and Mandiant thinks only about 5% of Barracuda ESGs worldwide were compromised. And, Mandiant says, additional malware to maintain persistence was deployed on only a small percentage of these compromised devices. For example, the most broadly used malware families used in this second wave, which Mandiant calls SKIPJACK and DEPTHCHARGE, were only deployed to 5.8% and 2.64% of compromised ESG devices respectively.

Mandiant thinks that the speed of malware deployment and the number of different varieties used indicates UNC4841 expected to be caught at some point and had prepared tooling in advance to dig into high-value targets when that happened.

The cyber security firm also expands on the group's targeting:

A deeper examination of identified affected organisations showed a recurring targeting of sectors that are key to global governments maintaining a competitive technological and economic edge in the face of impending strategic state deadlines. Entities were observed within the semiconductor, public health, aerospace, artificial intelligence/autonomous vehicles, and rare earth metal production sectors. Further, religious based organisations were impacted by UNC4841 campaigns. A cluster of organisations with mission-based aid or stated evangelical missions that impact China (and Chinese claimed geographies such as Hong Kong and Taiwan) were observed being targeted with the initial stages of malware utilised by this threat actor. Unlike numerous impacted organisations that align with traditional espionage requirements, these entities only received early stage implants such as SALTWATER, SEASPY, and SEASIDE. This may suggest a lower priority among UNC4841 collection requirements with evidence of deeper compromise, persistence, and exfiltration being observed among entities aligning with more conventional geopolitical, defence, and technology related mandates.

Overall, Mandiant notes it has observed higher level trends in Chinese cyber espionage "toward more purposeful, stealthy, and effective operations that avoid detection and complicate attribution." 

Listen to Patrick Gray and Tom Uren discuss this edition of the newsletter in the Seriously Risky Business podcast:

Three Reasons to be Cheerful this Week:

1. FBI dismantles Qakbot botnet: The FBI announced that it had disrupted the Qakbot malware botnet in a "multinational cyber takedown". Qakbot had facilitated ransomware attacks that caused hundreds of millions of dollars in losses and the FBI had identified over 700,000 infected computers worldwide. The operation redirected Qakbot traffic to FBI-controlled servers that instructed infected computers to uninstall the malware. Further coverage at Risky Business News.

2. WebDetetive spyware taken down: Hackers claim to have breached Portuguese-language spyware WebDetetive and removed the spyware from victim devices. The hackers also said they had downloaded data about those who had paid for the spyware and shared that data with leak archive site DDoSecrets. WebDetetive was used extensively in Brazil and had been used to compromise more than 76,000 Android phones. 

3. US FedGov Vulnerability Disclosure Program Works: CISA says that its Vulnerability Disclosure Program (VDP) platform is being used by 40 federal civilian agencies. These agencies have collectively received over 1,300 valid reports, over 1,100 of which have been remediated. The platform provides a common interface for vulnerability reports across agencies. 

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Chris St. Myers, Threat Intelligence Lead at Stairwell, on how the company Inception platform can be used for finding old or new threats that sometimes may go unnoticed.

And in this video Stairwell's Mike Wiacek demonstrates Stairwell's file analysis and threat detection platform to Risky Business host Patrick Gray. Stairwell helps you monitor and analyse every executable file in your organisation, automatically collecting crucial intelligence and providing your security team with in-depth visibility and detections.

Shorts

Meta Removes Largest Influence Campaign

Meta announced that it had taken down a large Chinese influence campaign that the company described as "largest known cross-platform covert influence operation". It involved over 7,700 Facebook accounts and at least USD$3,500 in advertising spending. 

Despite the size of the campaign, Meta's quarterly Adversarial Threat Report says "despite the very large number of accounts and platforms it used, Spamouflage consistently struggled to reach beyond its own (fake) echo chamber." 

UN Treaty on Cybercrime

UN negotiations for a cybercrime treaty are continuing in New York this week. US negotiators are hoping for an agreement that represents an advance on the Budapest Convention, which is ratified by 50 countries only and not by China, Russia, India or Brazil. 

Human rights and civil liberties groups are concerned that the treaty may be used for surveillance and repression. It is a worry as that is exactly the sort of treaty that China and Russia would like. 

Subscribe now

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion, Tom Uren and The Grugq look at how asset inventory tools aren’t a substitute for knowing what a business values.

From Risky Biz News:

WinRAR 0-day used to hack stock and crypto traders: Hackers have used a zero-day vulnerability in the WinRAR file compression utility to install malware on user devices and steal funds from stock and cryptocurrency trading accounts.

The 0-day was discovered by security researchers from Group-IB, who spotted the attacks while investigating a DarkMe malware campaign. Researchers tracked the earliest exploits to April this year.

All the attacks appear to have been focused on the brokerage and crypto-trading communities, with booby-trapped ZIP files uploaded on eight popular forums.

[more on Risky Business News]

Malware found on Rust's Crates repository: Seven malicious packages have been found and removed from Crates, the official package repository for the Rust programming language, marking the second time malware has been found on the portal. [This is the first-known incident, if anyone's curious.]

The packages were discovered by DevSecOps company Phylum, which described them as showing "the hallmarks of early preparations for a broader campaign."

[more on Risky Business News]

Incident disrupts Polish railway: Suspected Russian saboteurs have disrupted the services of Poland's national railway system. Officials say the attackers broadcast an emergency stop signal on a frequency used by the country's train system. The signal caused around 20 trains to come to an emergency stop for a few hours near Szczecin, a port city near the German border. Officials say the emergency signal was mixed with Russia's national anthem and a speech by President Vladimir Putin. [Additional coverage in the BBC]

Subscribe now

You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed. Find this edition here and on Apple podcasts:

Why Russia's Cyber War Against Ukraine Failed

In a joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch spoke with Ilia Vitiuik, the Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU) about how Ukraine has countered Russia's cyber operations.

Vitiuk described Russian cyber operations against Ukraine as a "cyber war" with destructive campaigns against Ukraine starting in 2014, eight years before the full-scale invasion. Significant destructive cyber operations he cited included NotPetya, electricity network attacks in 2015 and 2016 and a less well-known attempt to cause a train collision by interfering with a railroad control system. 

Vitiuk said these incidents motivated Ukraine to improve its cyber security. 

"During that time, we improved our legislation, we adopted a new cybersecurity strategy," Vitiuk said. "We invented tools and techniques that are actually effective [in] countering these Russian aggressive potential cyber attacks." 

The number of cyber attacks the SBU dealt with that it believes comes from Russia have grown fivefold between 2020 and 2022. As a result, well before the physical invasion, the SBU had tremendous experience remediating and recovering from Russian attacks. Today, SBU deals with 10 to 15 "serious events" daily. 

Vitiuk said experience gained over the previous eight years was probably "the crucial thing" that enabled Ukraine to counter Russian cyber operations. 

There were many disruptive operations leading up to the invasion, Vitiuk said.

"It was a mixture of everything. Defacing websites, using wipers, lockers, DDoS attacks, and also the psychological disinformation campaign that actually was also launched simultaneously in order to make people panic that all of their data were stolen and will be exposed and that all the IT infrastructure will be wiped away."

Vitiuk thinks these early attacks were "about the psychology of the people". If they had succeeded, they would "wipe out a lot of infrastructure and make people panic [and] make people more vulnerable" to the subsequent invasion. This could explain why these attacks occurred weeks before the invasion rather than being timed to sow chaos as the ground invasion was kicking off. 

Ukraine had help. Vitiuk describes how US Cyber Command came to Ukraine in December 2021 and provided hardware and software to help the country defend high-value critical infrastructure. Vitiuk says these actions "helped us a lot" when Russian actors targeted that infrastructure.

Vitiuk also spoke of how Russian hackers had physically relocated to be "closer to the frontlines". This was to facilitate communication with the Russian military, get better access to Ukrainian military devices captured on the battlefield and to access Ukrainian infrastructure located in occupied territories. 

This forward deployment, for example, would have facilitated a recently-thwarted Russian effort to compromise Ukrainian combat information systems. Vitiuk provided more detail about the Russian effort and its potential to be extremely damaging.

The full interview is a compelling insight into cyber defence in a large-scale conflict. It is available here or on Apple podcasts:

Advanced Persistent Teenagers

Earlier this month the Cyber Safety Review Board (CSRB) released an excellent report into the activities of the Lapsus$ threat actor group. The report identifies many current security practices that aren't up to scratch and should be required reading for CISOs. 

Lapsus$ was a loosely-organised transnational group of hackers based mainly in the UK and Brazil that emerged in late 2021 and went on an absolute tear in 2022. The report said the core membership was a small group of around 10 known members, and the CSRB did not find evidence of affiliation with state actors. 

The group "seemed to work at various times for notoriety, financial gain, or amusement," the report said. Because Lapsus$ had ties to other threat actor groups that used similar tactics, the CSRB also considered these groups in its review.

The Board said "Lapsus$ was unique for its effectiveness, speed, creativity, and boldness". Despite its small size, the group managed to compromise high-profile companies including Microsoft, Uber, Nvidia, Rockstar Games, and Samsung. The group's "attacks were consistently effective against some of the most well-resourced and well-defended companies in the world". 

Rather than diving into specific incidents, the review took a holistic approach and made recommendations about the systemic issues that enabled Lapsus$' attacks.  

In an interview on the Risky Business podcast last week, CSRB Deputy Chair Heather Adkins said Lapsus$ included "very creative kids who have digital skills" but the "large majority of the very successful attacks against well-defended organisations stemmed from some fairly basic social engineering".  

"[Lapsus$] were just using accents, different languages, just calling people up, if the first thing didn't succeed they'd try, try again until something succeeded," Adkins continued. "They weren't really worried so much about failing, they were only worried about succeeding." 

Another aspect of Lapsus$’ success, she said, was that "there were really no rules" for the group.

Some members of Lapsus$, for example, exploited Emergency Disclosure Requests, emergency requests for information from service providers, typically law enforcement agencies, for sensitive personal information about targeted people. The group would then use this information to take over online accounts and access personal photos for use in extortion attempts.

Some of the groups related to Lapsus$ also harassed cyber security researchers and staff at targeted organisations. The report said:

The seriousness of this activity ranged from mischief to dangerous behaviour. Lapsus$ was known to join and monitor an organisation’s incident response channels, and in one instance took over a screen share and deleted resources live in front of the victim. Similarly, Lapsus$ publicly posted screenshots of victim environments to demonstrate their access. On the more serious end of this behaviour, loosely affiliated threat actors threatened and harassed security professionals by publishing their personal information online, i.e., doxing, and pestered targeted organisations’ employees on Keybase, Twitter, and other online forums. The Board also heard of a subset of threat actors that recruited forum members to hijack cybersecurity professionals’ online accounts, and conducted swatting attacks against them and their families. This demonstrates the potentially serious physical threat these groups posed.

Adkins described this behaviour as a "wake up call". 

"Believe it or not, many of the nation state actors we study are professionalised. They are not going to call up your local police department and have your house swatted."

Adkins thinks this results in many infosec people thinking "about the bad guys at a distance … [and that] they're going to operate within these constraints that we assume and we build these … investigator biases around how they behave."

Aside from breaking imaginary norms of behaviour, Lapsus$ was also particularly adept at exploiting the 'seams' between organisations. It identified points of weakness or vulnerability that existed in these relationships and exploited them ruthlessly. 

In one example, Lapsus$ targeted a company that provided technical support for identity vendor Okta in order to access Okta's downstream customers. Although the breach did not compromise Okta customers, the report describes it as a "remarkable example of a creative three-stage supply chain attack". 

The group targeted telecommunications providers because of their role in authentication processes that involve One Time Passcodes (OTPs) sent via SMS and voice calls. Lapsus$ compromised telecommunications infrastructure or subverted business processes and accounts to access these authentication mechanisms.

Some of Lapsus$’ techniques fell into the 'it’s not dumb if it works' category. For example, the group could rely on MFA push fatigue when spamming employees with access approval requests until they simply said yes. The report said "sometimes these prompts occurred late at night, or during inconvenient times, possibly to increase the likelihood of the employee accepting the prompt". 

Lapsus$ also tried to recruit insiders from targeted organisations and posted advertisements offering money for access to internal systems. The group offered up to USD$20k per week to insiders to conduct SIM swaps. 

If it didn't have inside help, the group would carry out fraudulent SIM swaps to enable access to other target accounts.

One clear message from the report is that SMS and voice-based MFA processes provide weak protection against determined attackers. From a CISO's point of view, they are better than nothing, but only barely.  

So it is no surprise that many of the report's recommendations focus on improving identity management while mitigating telecommunications and reseller vulnerabilities. 

The report recommends "everyone must progress toward a passwordless world", and mentions technologies built into consumer devices, such as FIDO2-compliant solutions, WebAuthn and Passkeys. 

At the same time, the Board recognised that implementing these solutions will take time and that SMS and voice authentication processes will be around for a while. 

There are a swathe of recommendations aimed at making telco SIM swapping procedures more rigorous. The report suggests that the Federal Communications Commission and the Federal Trade Commission "standardise and facilitate the adoption of best practices to reduce or eliminate fraudulent SIM swaps". 

These are exactly the kind of specific recommendations that we hoped would come out of a report like this. They address the root causes that allow Lapsus$ and groups like it to be successful, but they can only be arrived at by examining a broad set of incidents. 

Three Reasons to be Cheerful this Week:

1. 16Shop phishing arrests: An international operation coordinated by Interpol has resulted in the arrests of three individuals associated with the '16shop' phishing-as-a-service platform. Two of the suspects were arrested in Indonesia and one in Japan. Cyber security firm Group-IB says the platform has been active since late 2017 and has been used in the creation of over 150,000 phishing domains. The platform's administrator was a 21-year-old based in Indonesia. 

2. Three years prison for USD$20m of SIM Swapping: A US court sentenced 26-year-old Anthony Francis Faulk to three years in prison for his role in a cryptocurrency hacking trio. The trio tricked cellphone service providers into transferring victims’ phone numbers to a SIM under their control. Faulk and his co-conspirators would then reset passwords for email and cryptocurrency trading accounts to empty the associated wallets.

3. NCSC Ransomware Tipoffs: The UK's National Cyber Security Centre is disrupting ransomware attacks by tipping off potential victims prior to the deployment of encrypting malware. Detecting the ransomware attack is the easy part, apparently the hard part is finding contact details for the potential victims. Only one in 50 targeted organisations are alerted and sometimes the person contacted believes the  NCSC is a scammer. The NCSC is appealing for more British organisations to join its Early Warning program to receive these alerts.

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Dan Guido, CEO of Trail of Bits, about AI. Dan thinks AI technologies will be a "game changer." But he also thinks the conversation around AI is not very sophisticated just yet.

Trail of Bits co-founder and CEO Dan Guido was asked to provide feedback on the effects of AI on modern technology at a meeting of the Commodity Futures Trading Commission's Technology Advisory Committee (TAC) on July 18. His comments are summarised in the company's blog here and are available in full in the video below.

Shorts

Another Glenn Greenwald Source Goes to Jail

Brazilian authorities have sentenced a hacker named Walter Delgatti Neto to 20 years in prison in connection to the so-called Vaza Jato leaks.

In 2019 he leaked messages from prosecutors involved in an anti-corruption probe. These leaks revealed that a judge, Sérgio Moro, had coached prosecutors during a corruption investigation known as Operation Car Wash, or "Lava Jato". 

One of Moro's investigations resulted in the conviction of former Brazilian President Lula da Silva, which forced him out of the 2018 presidential poll. Moro was appointed to serve as the justice minister in the Bolsonaro government in 2019.

The Brazilian Supreme Court later ruled that Moro was biased against Lula. Lula's conviction was subsequently annulled, and he is once again serving as President of Brazil. 

Latest Open Source Hippies: The US Government

The US Government has announced a request for information seeking help on ways to secure open source software. 

The post compares the effort to secure open source software to the investment required to build the US interstate highway system. Although the investment was massive, the returns were also huge. We like the analogy, but of course the announcement doesn't commit any funding! 

The White House also launched a two-year competition led by DARPA to use AI to identify and fix software problems. The competition will feature almost USD$20m in prizes and we think it will move the needle. AI assistants are already being used to help write code, so they need to be security savvy too.  

Preparing For the Post-Quantum Future

CISA, NIST, and the NSA have published a joint guide to help organisations migrate to post-quantum cryptographic algorithms. Essentially, the guide says you should figure out what encryption systems you are using and come up with a plan to migrate to quantum-secure systems.. 

Google is taking these first steps and last week announced the release of the first "quantum resilient" FIDO2 security key. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at  hacking CCTV cameras for fun and profit.

From Risky Biz News:

US warns space sector of hacks, spying, IP theft, and sabotage: As the US private space sector is growing into a global behemoth and as Starlink shows the crucial role private satellite networks can play in a military conflict, the US government is urging companies to bolster their defenses against foreign sabotage and espionage.

Three US intelligence agencies—the FBI, the National Counterintelligence and Security Center, and the US Air Force Office of Special Investigations—published a joint security advisory [PDF] last week describing the type of threats the commercial space industry could face from foreign intelligence agencies.

Officials warn of hacks, malicious insiders, employee recruitment efforts, and misleading investments and business partnerships.

All of these are designed to enable espionage, the theft of intellectual property, and sabotage of space infrastructure in the case of a military conflict.

[more on Risky Business News]

Lockbit has been bluffing in extortion schemes, is close to an implosion: New clues discovered by threat intelligence analysts suggest that the Lockbit ransomware group may be having technical difficulties, which have contributed to the operation losing some of its top affiliates over the past months.

According to a report published by Analyst1's Jon DiMaggio, the Lockbit gang is having problems publishing and leaking victim data on its dark web leak site.

The gang has run out of server storage, DiMaggio says. It often claims that a victim's files have been published, but the files can't be downloaded.

[more on Risky Business News]

PowerShell's official package repo is a supply chain mess: PowerShell Gallery, the official repository for the PowerShell scripting language, contains (still-unfixed) design flaws that can be abused by threat actors for typosquatting and impersonation attacks.

Discovered by cloud security firm AquaSec, these issues can be weaponized in supply chain attacks to trick developers into downloading and running malicious PowerShell packages on their systems or inside enterprise applications.

[more on Risky Business News]