Srsly Risky Biz: Tuesday, January 12

JetBrains stories generate heat, shed little light, Mozilla tries to outfox censors, It's been real, Donald Trump

Your weekly dose of Seriously Risky Business news is written by Brett Winterford, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation.

JetBrains stories generate heat, shed little light

Two of America's most respected mastheads allege that attackers were able to poison a SolarWinds software update in early 2020 via the company's use of JetBrains TeamCity.

The thinly sourced and somewhat confusing stories were published in New York Times and the Wall Street Journal and repeated by Reuters

JetBrains' TeamCity is a build management and continuous integration server. Software developers use JetBrains, typically in combination with a version control system, to manage and automate the testing and compilation process. It makes for a juicy target for attackers intent on modifying a software update in the final stages of the build process. JetBrains acknowledges that SolarWinds is a TeamCity customer.

The New York Times promoted its story with the fact that JetBrains CEO was born in Russia, and that its operations are based in the Czech Republic, just as previous New York Times stories made much of SolarWinds employing software engineers in Central Europe. Readers could easily be left with the impression that JetBrains was either compromised -- much in the same manner as SolarWinds -- or a party to the compromise. The Wall Street Journal took a little more caution, conceding that its sources weren't sure how SolarWinds' TeamCity server was accessed, while Reuters only added that the FBI was investigating the matter.

None of the three stories, however, specified what was compromised or how. Do these articles allege that JetBrains staff knowingly helped compromise SolarWinds' TeamCity instance? Not specifically. Do they allege SVR operators hacked into JetBrains' network to take over multiple JetBrains accounts, including SolarWinds'? Again, no, not specifically. We don't even know if SolarWinds was using a hosted account or an on-premise server.

None of these crucially important details appear in any of the three stories. Without them, the news isn't actionable for policy makers or infosec teams. We're left to make decisions based on unsourced rumours that pre-date these stories and firm, repeated denials from JetBrains' CEO.

There's probably something to the JetBrains coverage. We just don't know what it is.

In related news, CrowdStrike, which has been engaged by SolarWinds, posted an analysis of the implant the attackers used to sneak the SUNBURST malware into the SolarWinds Orion update. For what it's worth, CrowdStrike's write-up makes no mention of JetBrains' TeamCity software.

SolarWinds has admitted that, now with the benefit of hindsight, the malicious Orion update was likely to have played a part in two previous "customer support incidents". It claims that multiple forensic firms also failed to detect the SUNBURST malware during those incidents.

Meanwhile, the US Department of Justice has confirmed that it was infected by the tainted SolarWinds update and is one of the 10+ US agencies attackers attackers chose to target. Investigators found that attackers accessed 3 percent (~3000) of the inboxes in the DoJ's Microsoft Office365 email tenant.

We strongly doubt that's where DoJ's troubles ended. Sources told Brian Krebs that attackers also made a beeline for a system that stores sealed US court records. 

Perhaps curious attackers wanted to know if it's still safe to holiday in Thailand.

Mozilla tries to outfox censors with encrypted ClientHello

The next version of Mozilla's Firefox browser (Firefox 85) will support an experimental TLS extension designed to improve on previous attempts to defeat internet censorship.

Mozilla will replace the ESNI extension, which encrypts the server name indicator value in a TLS handshake, with the new Encrypted Client Hello (ECH) extension, which encrypts the entire ClientHello message

Both extensions attempt to solve a difficult security engineering problem: how to avoid leaking the target domain in a TLS connection before the client and server have negotiated how to encrypt it.

ESNI wasn't much of a challenge for internet censors. As previously reported (see "China's Great Firewall blocks latest web encryption specs"), censors in China and Russia found ways to identify and block TLS 1.3 + ESNI traffic, which could easily be differentiated from connections that used regular handshakes.

Encrypted Client Hello (ECH) tries to ensure that handshake messages sent from servers sitting behind a cloud/CDN service reply to clients in uniform ways that don't indicate whether ECH was used. The protocol also demands that clients (browsers) randomly flip between offering a real ECH extension and a dummy extension that servers can safely ignore. 

Authors of ECH hope that when these tricks are combined with DNS-over-HTTPS, it will be more difficult for an eavesdropper on the network to identify what site was requested or how the communication will be protected.

They describe the extension as another interim step toward defeating traffic analysis, which can use something as trivial as the length of handshake messages to make inferences about a web request.

Metadata opacity isn't just great for privacy, of course. Attackers love it too. ECH and similar initiatives will make network security monitoring much harder. Hooray?

It's been real, Donald Trump 

After years of insisting that their platforms should be "value-neutral," America's tech giants have in a single day collectively choked the online presence of outgoing President Donald Trump.

In response to the storming of the United States Capitol:

  • Twitter permanently deleted the @realDonaldTrump account, the accounts of several of his most ardent supporters and 70,000 bot accounts associated with the QAnon movement;

  • Facebook announced an "indefinite" ban on Trump's accounts, which at minimum will prevent his team from posting for two weeks;

  • YouTube announced that it would temporarily suspend any accounts publishing false claims about the US election, which has already claimed Steve Bannon's "War Room" and recent videos by Trump and his lawyer Rudy Giuliani;

  • Discord banned "The Donald" server and Reddit banned the r/DonaldTrump subreddit group, both of which built up sizeable communities since Reddit banned the r/The_Donald subreddit group in June 2020;

  • Snapchat locked Trump's account during the attack on the US Capitol. Twitch did the same, and will reassess whether to re-open the account once Trump leaves office.

  • Payments processors Stripe and PayPal cancelled Trump fundraising accounts, Shopify removed two online stores selling MAGA merch and CampaignMonitor suspended mailing list services provided to the Trump campaign, while Salesforce took unspecified "actions" to prevent its services being used to incite violence. 

  • Parler, the American hard right's alternative to Twitter, was removed from the app stores of Google and Apple. Apple previously gave Parler 24 hours to publish a content moderation policy. Amazon Web Services revoked Parler's web hosting account at short notice. Parler has subsequently dropped offline, but not before someone had the presence of mind to scrape its (public) content. Parler filed suit against Amazon Web Services in response.

Trump's norm-shattering behaviour has long presented a quandary for social networks. In recent months, the President used social media to amplify misinformation about the US election, all while promoting and raising funds for a January 6 protest event that numerous analysts warned would lead to an attempted "coup". 

Facebook and Twitter say they're taking action now because Trump's posts are likely to provoke further violence. Twitter hit the perma-ban button on the President's account after content moderators were alerted to posts encouraging a second attack on the US Capitol on January 17.

A handful of tech companies continue to resist the role of content moderator. Trump supporters have flocked to Gab, a social network whose domain is hosted by Nazi cuddlers epik.com (who also host the Parler.com domain) and protected by CloudFlare. Gab is basically Twitter for fascists who don't mind waiting three minutes for a page to load.

Shorts

Ryuk is minted

The Ryuk ransomware gang has taken over US$150 million in payments from victims since it started its operations, according to two threat intel firms. AdvIntel and HYAS claim the ransomware gang primarily use the Binance and Huobi cryptocurrency exchanges to launder extorted funds. Both exchanges were founded by Chinese nationals but are based in Malta and the Seychelles respectively. 

Ransomware gang gets personal

Catalin Cimpanu at ZDNet described how a ransomware crew is seeking out the workstations of senior executives during attacks. The attackers, identified as a Clop affiliate (and possibly a REvil affiliate too), search for content that, if published, would harm the reputation of those executives responsible for deciding whether to pay the ransom. Makes sense. 

This will end badly

DDoSecrets activists archived and published 1TB of data stolen by ransomware gangs. The group hopes researchers and journalists might discover scandalous material in it worthy of further exploration. They are also offering to make an additional 1.9TB of data available to selected media outlets and academic researchers. DDoSecrets says it hasn't vetted the material because there's too much of it to comb through. Expect this project to run into many of the same ethical problems as WikiLeaks.

Sysmon can now detect process tampering

Microsoft's inbuilt System Monitor (sysmon) app can now detect and log when malware tampers with a legitimate Windows process using process herpaderping.  

Pastebin.com blocks encoded executables

Threat researcher Paul Melson discovered that Pastebin.com has implemented checks that block attempts to upload encoded executable files. The big question now is which pastebin malware authors will turn to next.

Chinese payment apps banned in the US

President Trump has flipped one last bird to President Xi Jinping, signing an executive order that bans transactions with seven Chinese apps, including Alipay, TenCent QQ Wallet and WeChat Pay. The Executive Order claims that the apps could be used to build dossiers on federal workers in the US, which might prove prescient if rumours about the nationalisation of Alibaba have any substance.

New Zealand's Reserve Bank warns of Accellion breach

New Zealand's central bank Te Pūtea Matua revealed that Accellion's FTA, a third party file transfer service the bank used to store "commercially and personally sensitive information" was compromised by an undisclosed attacker. An RBNZ statement said that other Accellion clients were likely to be affected. Accellion told journalists that the bank was hacked after failing to patch a vulnerability in Accellion software that was disclosed in December.  

Ubiquiti Networks asks customers to reset passwords

Ubiquiti customers report that they are being asked to reset their passwords in response to a breach of the company's customer-facing web portal. Passwords were apparently salted and hashed. 

Rapid reputation restoration team

SolarWinds, the network management vendor at the centre of a supply chain compromise that infected over 10 US civilian agencies, hired former CISA Director Chris Krebs and former Facebook and Yahoo CISO Alex Stamos as advisors. Krebs and Stamos have started a consulting company to facilitate the work. In 2020, Stamos consulted with video conferencing startup Zoom in one of the world's fastest security overhauls.  

This week's long read

Harvard Business Review penned a more eloquent version of the story on cyber insurance we ran back in December, calculating how quickly a few big claims could spoil the party for insurers and reinsurers.  

This week's viewing

Al Jazeera TV published a 45-minute YouTube documentary about the use of NSO Group tools to hack the iPhones of 36 journalists.

Correction

The original version of this newsletter associated Ryuk ransomware with TA505, which is incorrect. TA505 is more commonly associated with CLOP ransomware. So no, I’m not privy to some amazing intel that you missed: I just had a brain explosion. Apologies!