Srsly Risky Biz: Thursday 8 August
USA Blinks in Ransomware Fight
Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.
USA Blinks in Ransomware Fight
The US Government is backing away from its plan to conduct offensive operations against Russian ransomware crews.
The backdown came after Recorded Future's news website The Record published a softball interview with the BlackMatter ransomware crew in which it declared it would cease conducting attacks against critical infrastructure. BlackMatter is likely a reincarnation of DarkSide, the ransomware gang responsible for the Colonial Pipeline attack.
In a naked attempt to shape perceptions to avoid US government attention, BlackMatter staked out its position as a "responsible" big-game ransomware operator, claiming it won't attack sectors like healthcare, energy, critical infrastructure and government.
Speaking at the Aspen Security Forum, deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger described the interview as "remarkable" because it revealed the thinking of this particular ransomware group. She "took it... as a sign the message regarding the disruptive ransomware activity against critical infrastructure is unacceptable" was being received.
We think she should be careful interpreting BlackMatter's statement as some sort of win.
Alarmingly, two aspects of Neuberger's statements at the forum even suggest that ransomware crews will continue to operate without having to deal with interference from Cyber Command as long as they halfway behave themselves.
Firstly, she stepped back from the idea of using offensive operations against ransomware crews, highlighting the difficulties of conducting operations with "discrete impact" in an interconnected world. While true, a big part of US Cyber Command's (USCC) mission is to conduct targeted and proportionate operations in support of national security objectives. In the absence of effective Russian (local) law enforcement, offensive cyber operations are the only measure that can meaningfully disrupt ransomware crews.
And we're not talking about USCC rolling out its top-tier goodies, either. It could make life painful for ransomware operators using workaday techniques that take advantage of the porous opsec of cyber criminals. These sorts of operations would absolutely be effective and should be used against the highest-priority ransomware targets. In our view, they shouldn't be taken off the table.
Secondly, Neuberger emphasised the Biden Administration's focus on critical infrastructure, in effect signalling that ransomware in other sectors is acceptable. Worryingly, this could be interpreted as a green light for criminals to continue pillaging important (but not critical) enterprises. Ransomware needs to be tackled with all available tools regardless of the sectors it affects.
At the same forum Neuberger said the most effective way to tackle ransomware from another country is by "shaping their [leadership's] expectations and shaping their calculations".
And it looks like she's right: Russia has addressed the diplomatic problems its ransomware criminals created by hoodwinking the US into accepting never-ending ransomware attacks -- just not against critical infrastructure.
What Did Russia Want With All Those DoJ Mailboxes?
It turns out Russia regards the United States Department of Justice as quite the juicy target.
Late last week the DoJ announced Russian state hackers -- as a part of the so-called "SolarWinds campaign" -- compromised the Microsoft Office 365 email accounts at 27 state attorney's offices, including over 80% of the employees working in the Eastern, Northern, Southern, and Western Districts of New York.
We already knew the same group of hackers, previously identified as APT29 and associated with the SVR, the Russian Foreign Intelligence Service, had compromised the Administrative Office of the US Courts and its Case Management/Electronic Case Files system (CM/ECF). While most of the documents available through the case management system are publicly available, some (such as sealed indictments) are highly sensitive and not publicly available.
Taken together, these compromises indicate the Russian government is very, very interested in the US justice system. But why?
Russia, and before that the Soviet Union, has always had an enduring interest in US counterintelligence activities, cultivating human sources such as Aldrich Ames (CIA) and Robert Hanssen (FBI). These human sources stole secret information and had real impact -- many Russian sources were executed as a result of these recruitments.
Despite lacking the right level of opsec, nowadays the broader Department of Justice (not just the FBI) is also the home of some counterintelligence activity, being responsible for the US government's response to cyber crime and state-backed hacking and foreign interference. The United States, through the DoJ, has used indictments to define the limits of "acceptable" state behaviour and respond to Russian interference in the 2016 election.
There's no way to know for sure what the Russians were after, but we can take a wild guess at a couple of reasons. Firstly, it's likely Russia wants to know if its APT activities are being discussed by DoJ staffers. And secondly, given the enduring popularity of former President Donald Trump among Republicans, it's also eager to seek advance knowledge of developments in the bevy of potential litigation against him, too. That sort of knowledge could be used to improve Russian influence campaigns by preparing them to take immediate action when news breaks, or even by pre-seeding narratives before official actions are announced.
This second theory is consistent with the hacker's apparent focus on the email accounts based in New York, the location of the Trump Organization headquarters.
In the wake of its case management system being breached, the US Courts Administrative Office announced new security procedures -- highly sensitive court documents would only be kept on a "secure stand-alone system," and not uploaded to the CM/ECF system. Nicely done, but a little bit late, people. The US government's approach to deterring state activity had changed to involve the DoJ, but they didn't close the barn door until after the horse bolted.
This is a vignette of society's broader response to changing cyber security threats. The threat environment changes rapidly but security practices change only when a breach is detected. Oh well. :(
UK Should Not Barge Into Israel-Iran Cyber Conflict
UK tabloid The Sun reports (screeches?) the UK is considering "cyber retaliation" in response to an Iranian unmanned aerial vehicle attack on the MV Mercer Street, an oil tanker managed by the Israeli-owned Zodiac Marine. The attack in the Arabian Sea killed two people, a Briton and a Romanian. The Sun quotes an anonymous senior UK defence source saying a cyber operation was the most likely response and "nobody will see it here but they will be left in no doubt you cannot kill a Brit unchecked".
Obviously we have to take a report from The Sun with a (giant) grain of salt. Indeed The Telegraph argues the UK won't be interested in jumping into a shadow war against Iran, cyber or not.
It shouldn't. The tanker incident comes against a backdrop of highly destructive tit-for-tat cyber and kinetic operations between Iran and Israel, and this latest incident will just make that fire burn a little hotter. We don't need new players in this game right now.
A little history: Following reports of cyber attacks against Israeli water infrastructure in 2020, a suspiciously large number of things have caught fire or gone boom in Iran since, including the Natanz uranium enrichment facility, a missile production facility, an oil pipeline, a shipyard in the Iranian port of Bushehr, Iran's largest warship, and an oil refinery.
Other less physically destructive incidents have involved cyber attacks on the port of Bandar Abbas and a wiper attack on Iran's national rail system. Some of these incidents could be the result of deliberate state-backed actions; others may simply be accidents.
This one wasn't an accident, though: In November last year, Iran's top nuclear scientist was assassinated with a self-destructing remotely-controlled machine-gun. No prizes for guessing who the prime suspect in that techno-dystopian caper was.
There are reasons the UK might want to retaliate with a cyber operation -- it may be able to achieve a specific effect that cannot be achieved with conventional military forces.
But in the current Iranian situation the properties of cyber operations that make them useful for covert action -- the difficulty of attribution and the ability to cause a spectrum of effects ranging from temporary denial of service to physical destruction -- mean that a tragic accident in Iran could easily be misinterpreted as deliberate action that demands a robust Iranian response. In other words, threatening to use cyber operations to retaliate makes conflict escalation more likely.
This could well result in escalation from relatively limited cyber operations to a more widespread and destructive real-world conflict.
Using a cyber operation where only Iran knows the effect achieved also negates any deterrent value the British response may have. Deterrence works when people -- other potential adversaries -- understand that certain actions have inevitable and costly consequences. Keeping those consequences secret prevents them from having a broader deterrent effect.
The uncertainty around attribution is what makes cyber operations good at causing covert or clandestine effects, but not so good for deterrence, especially when no-one knows what has happened.
A Communique From the 3-Eyes Alliance
The USA, UK and Australian governments have issued a joint advisory on the most widely exploited security flaws in 2020 and 2021 and yes, it makes for pretty depressing reading.
The advisory, from CISA, the FBI, ACSC and NCSC, lists the flaws, most of which affect perimeter or VPN devices from Citrix, Pulse Secure, Fortinet, F5 and Accellion. Most were disclosed relatively recently -- within the last two years -- although all of them have patches available.
2020's MVP was CVE-2019-19781, a Citrix Netscaler Application Delivery Controller (ADC) remote code execution bug. And the award for longevity goes to CVE-2017-11882 a Microsoft Office remote code execution bug from a 17-year old flaw.
Combining forces for joint advisories results in more media coverage and awareness, but there are underlying systemic issues that limit their effectiveness.
Firstly, many of the organisations that haven't patched these vulnerabilities already -- the advisory's target audience -- are either unwilling or unable to. Laws and regulations that impose a positive security obligation will be required to change attitudes across many sectors, and governments just don't want to go there.
Secondly, enterprise software vendors continue to churn out critically important products that contain absolutely idiotic vulnerabilities. Within the last month: a null-password vulnerability in Kaseya's VSA product was exploited to install ransomware at scale; the Dell Wyse Management Suite, a set of tools to manage up to a million Dell endpoints, was found to have a pair of file path disclosure and arbitrary file read vulnerabilities in it; and a pre-auth remote code execution vulnerability was found and exploited in the open source identity and access management application ForgeRock.
These are critical pieces of software that have some combination of the following attributes: they're internet facing, tend to have broad visibility and access into a network and often have administrative privileges. These properties make unauthorised access to these applications extremely attractive, and the permissive environment that allows these types of technologies to ship with these types of easily discoverable critical flaws needs to be changed.
The Bipartisan Defense of United States Infrastructure Act legislation has been introduced into the US Senate. Among other initiatives, the bill would establish a Bureau of Cyber Statistics that would collect and analyse cyber threat and crime statistics. This was proposed by the Cyberspace Solarium Commission. The National Cyber Director, Chris Inglis, recently spoke in support of the idea. The work of this bureau -- building a big picture view of the cyber security ecosystem as a whole -- would complement the Cyber Safety Review Board to be established under President Biden's cybersecurity executive order that will examine "significant" cyber security incidents. The definition of significant is pretty broad and includes incidents that harm "the public confidence… of the American people".
Pew Pew! It's a Shootin' War
President Biden says the next big armed conflict could result from escalation stemming from cyber operations. "If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach of great consequence," he says. Biden is probably wrong: research suggests that people consider cyber attacks to be qualitatively different from physical attacks, and are reluctant to escalate to real-world use of force in response. These types of remarks probably won't hurt in making adversaries worry about American retaliation, at least a little bit, but we mostly think they made him sound a bit dense.
Responsible Cyber Offense
A Lawfare piece has proposed practical measures to assess whether state-backed cyber operations are "responsible". The authors put some flesh on the bones of international law and suggest that operations be targeted, tools be tested, and indiscriminate damage avoided. It's all very sensible, and talk at this level of detail may engage the technical set in the IC. That's needed -- most of them currently think voluntary, non-binding "cyber norms" are as effective as sitting in a circle singing Kumbaya.
Available to share: Compromised Hosts in SEA Telco. Must be Clean. Non Smoking
At least two (possibly three) PRC-linked groups have been targeting Southeast Asian telecommunications companies from as long ago as 2017. These groups appear to be targeting telcos to conduct espionage against specific targets by gaining access to billing systems and Call Data Records (CDRs). The three possible groups -- Soft Cell or Gallium, Naikon and Threat Group-3390 -- at times occupied the same target companies at the same time and sometimes even coexisted on the same endpoints. This suggests that Chinese APT groups are given high-level direction but that operational coordination amongst groups is low.
A Series of Tubes
Multiple vulnerabilities have been disclosed in the TransLogic Pneumatic Tube System, used in around 80% of major North American hospitals. The bugs -- which are of the grade-A bonehead variety (default creds on telnet? What year is this??) -- allow unauthenticated attackers to take complete control of tube system installations. These systems are used to send medicines, samples and other medical supplies around hospitals, and these vulnerabilities could be used to disrupt healthcare.
Software with Chinese Characteristics
The Beijing One Pass application developed by the Beijing Certificate Authority, a state-owned enterprise, has some interesting capabilities for an app designed to allow employees to check their state benefits: it can take screenshots, read data from the clipboard, capture keystrokes...
This thing is reminiscent of the GoldenSpy malware embedded in Chinese tax payment software.
NSO is Completely Innocent but Investigates Itself Anyway
In further fallout from the Pegasus Project investigation, reported in last week's newsletter, the NSO group has suspended several of its clients while it investigates possible misuse, despite denying any wrongdoing and then spitting the dummy. Watch, as we investigate the degree to which we're completely innocent!
Someone is manipulating the Automated Identification System (AIS) system, a maritime collision-avoidance radio system, to spoof the location of warships. Sometimes these warships appear to be in sensitive locations, such as approaching foreign naval bases or entering disputed waters. Because vessels rely on on-board receivers and the fake signals appear only in AIS data after it is aggregated, it's hard to see any immediate maritime safety implications, so authorities and perhaps even affected navies might not be motivated to investigate given other priorities. But it feels like there's a bigger game afoot. What is it?
Brute Forcing the Smartypants Way
This blog or rant is interesting for the process the researcher used to circumvent server rate limits for iCloud account resets by using 28,000 separate IP addresses to brute force a six digit PIN.
Discord Tokens and Credit Card Numbers. What Are You, 15?
Eight malicious packages in Pypi, the official Python software repository, have been removed for stealing credit card numbers and Discord authentication tokens. That sort of thing is pretty run-of-the-mill these days, but this bug that would have allowed an attacker to gain full control of the Pypi code repository definitely isn't! Also, Discord tokens and credit card numbers? That's an odd combo.
Zoom Settles: Customers to get $15-$25
Zoom has agreed to an USD$85m settlement after a class action lawsuit that claimed it lied about end-to-end encryption (it did) and shared user data with Facebook and Google. Lawyers are the big winners here and will get up to 25% of the settlement, with customers receiving $15 to $25 a piece. Although we are all winners if it means people won't abuse the term "end-to-end encryption". It's 2021 ffs. Get with the program.
Voluntary Cybersecurity Standards for Critical Infrastructure
President Biden issued a new national security memorandum for federal agencies to develop cyber security goals for critical infrastructure. These voluntary "standards" will have to do until mandatory ones can be legislated.