Srsly Risky Biz: Thursday, December 9
A look at Tor's mysterious benef(actor) and Mitto's Bone Saw Side Hustle
Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.
Bone Saw Side Hustle
The co-founder and COO of Mitto AG, a Swiss company that sends automated text messages including 2FA codes, has allegedly been selling access to his company's networks to surveillance companies.
Mitto AG sells automated messaging services and has relationships with telcos in more than 100 countries, giving it reach that has attracted major technology companies such as Google, Twitter and WhatsApp as clients. Bloomberg reports Mitto's COO, Ilja Gorelik, secretly allowed multiple surveillance companies to leverage its relationships with telcos to allow them to abuse SS7 (Signalling System 7, a telco signalling protocol) to track devices or perhaps even redirect calls and SMSs.
These arrangements were known to only a small number of people within the company and Mitto has strongly denied corporate involvement. It told The Bureau of Investigative Journalism:
To be clear, Mitto does not, has not, and will not organise and operate a separate business, division, or entity that provides surveillance companies access to telecom infrastructure to secretly locate people via their mobile phones, or other illegal acts. Mitto also does not condone, support, and enable the exploitation of telecom networks with whom the company partners to deliver service to its global customers.
One of the mechanisms in SS7 that can be used to collect information about devices is a Home Location Register (HLR) lookup. HLR lookups provide information on device location, which mobile network it belongs to and whether the device is currently active. You need an HLR lookup to know where to send an SMS. The feature is also useful to a company like NSO that's looking to send malware to mobile devices. Is the device active? Is it in a no-go country like the USA?
SS7 is inherently insecure, but the GSMA tries to limit abuse through contract agreements. For example, with regards to HLR lookups these agreements state, per Cathal McDaid:
Interrogation of HLRs is not permitted unless it has been agreed between two parties in their roaming or interworking agreements
For avoidance of doubt, IMSI or Node information that could compromise the privacy or location of subscribers must not be disclosed, subject to the relationship established by the parties
Reselling of results of the queries is not allowed, only by the owner of the HLR, or any parties authorised by the owner of the HLR
Any breach of this could lead to suspension or roaming/interworking agreements
Mitto likely has contractual arrangements in place allowing SS7 queries that a surveillance company couldn't arrange on its own.
All this makes us wonder whether the 50,000 phone number list that the Pegasus Project linked to NSO Group was sourced from Gorelik's Mitto side hustle. The list was promoted as potential evidence of NSO targeting — Amnesty International described it as a list of "potential surveillance targets" — but the exact provenance has never been made clear. The list seems to have had some relationship to NSO's activities — some numbers were added to the list just minutes or even seconds prior to attempted Pegasus malware infection. But NSO's activities could be just a subset of the list.
NSO's CEO told Israeli media that an information broker had approached them saying the list had originated from hacked servers in Cyprus. Interestingly, the Bureau of Investigative Journalism report claims Gorelik personally installed custom software within Mitto's network for a Cyprus-based surveillance company named TRG Research and Development. TRG issued one of the weirdest denials we've ever seen. It claims there was no "commercial relationship" between TRG and Mitto and "if anyone within TRG or Mitto has had such relationships, it is a personal relationship and is not related to TRG".
We don't know if there's a connection between the "NSO target list" and TRG, or any connection between NSO and TRG. And even if there is, how would we know if it's "commercial" or "personal"? But the whole thing smells, well, suss.
The US Government is Wrong: Ransomware Policy Isn't Just About Critical Infrastructure Protection
The Canadian government and US Cyber Command were both out and about acknowledging taking offensive action against ransomware crews this week, but we do worry governments' focus on treating ransomware solely as a critical infrastructure threat is the road to hell.
In an interview with The New York Times, General Paul Nakasone, head of US Cyber Command confirmed what we pretty much knew — that the military had taken action against ransomware crews to "impose costs".
In addition to some limited action against REvil, The Times also reports "Cyber Command and the N.S.A. also assisted the F.B.I. and the Justice Department in their efforts to seize and recover much of the cryptocurrency ransom paid by Colonial Pipeline".
It's nice to see some confirmation that cyber operations are being used (presumably) to snatch Bitcoin private keys from ransomware criminals.
Nakasone also stated that what had been viewed as a law enforcement responsibility nine months ago was now "impacting critical infrastructure," and therefore deserving of a military response. This echoes comments Nakasone made in October at the Mandiant Cyber Defense Summit. "When ransomware starts impacting our critical infrastructure, it’s significant. If it isn’t important to U.S. Cyber Command (USCYBERCOM) and the National Security Agency — who are built for the express purpose of defending the nation — there’s something wrong there."
Our position is ransomware is cumulatively damaging even in the absence of big-ticket attacks on critical infrastructure like the Colonial Pipeline incident. Recorded Future's Ransomware tracker shows that attacks on healthcare, schools and governments are continuing. And let's remember that ransomware in hospitals can be a life or death situation. Even data breaches can be emotionally devastating for those involved — this week data from 400,000 Planned Parenthood patients was stolen.
According to the email notification this possibly includes "address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information". Allowing criminals to profit by hurting sick and vulnerable Americans and children should be simply unacceptable. Schools aren't critical infrastructure. Planned Parenthood isn't critical infrastructure. But are we going to just allow them to be steamrolled by modern-day pirates? It's death by a thousand cuts. As policy, it's bonkers.
Giving criminals "no go lists" green lights them to attack everything else, and allowing them to thrive in non-critical sectors will absolutely make them more capable, more dangerous, and more of a threat to the critical sectors you're trying to protect once they feel emboldened enough to step outside the USA's guidelines on "acceptable crime".
Ongoing ransomware disruption across all sectors of the economy requires a whole-of-government response. Law enforcement action just isn't working. The US government has offensive cyber capabilities that can be effective in disrupting cyber crime, and these happen to sit in USCYBERCOM. It's time to step up.
Getting to Know You, Tor Edition
A researcher known as nusenu claims to have identified (based on non-standard behaviour) a sophisticated 'benefactor' running hundreds of Tor nodes, and only perhaps looking to de-anonymise users in return.
Tor attempts anonymity by sending encrypted traffic through multiple independent nodes or relays — guard (or entry), middle and exit nodes. At its peak the (benef)actor, dubbed KAX17, ran 16% of entry (guard) nodes, 35% of middle nodes, and just under 5% of exit nodes. It's enough to theoretically be able to decloak users and onion services.
Tor frequently changes its paths (circuits) through its network, so over time the chance that a user will be entirely visible to KAX17 grows, even if the chance of a single circuit being decloaked is small.
KAX17 looks sophisticated, well-resourced and persistent. It has been active since 2017, has used servers on more than 50 autonomous systems and at its peak ran over 900 servers. It also rebuilds when the Tor Project identifies and removes its servers. KAX17 also appears to have participated in Tor mailing list discussions when malicious relays were discussed to argue against removal of the servers.
Other malicious Tor actors tend to run exit nodes so that they can intercept or manipulate cleartext or TLS-stripped traffic. For example, nusenu describes another group that replaces bitcoin addresses in unencrypted traffic to hijack cryptocurrency payments and at one point had 27% of exit node capacity. Nice!
KAX17 looks and feels like a state actor, but we have more questions. Which state? If just one actor runs so much of the Tor network, what percentage altogether is run by governments?
Three Reasons to be Cheerful this Week:
PIP-audit: A Google-supported tool that scans Python environments for vulnerable packages has been launched. Other tools are available, but this one is free and open source and doesn't require a subscription. It was developed by William Woodruff and Alex Cameron from Trail of Bits. (Disclosure: Trail of Bits sponsors two episodes of the Risky Business podcast annually.)
Australian sanctions: The Australian government has passed its version of the Magnitsky Act, which will allow it to sanction people or organisations for malicious cyber activity, human rights abuses and serious corruption. The costs of bad behaviour online are too low, so although this won't fix anything by itself it at least raises costs some.
Facebook Protect: Meta is more widely rolling out its 'Facebook Protect' security program for protecting the accounts of candidates, elected officials and campaigns that are at risk of being attacked during elections. It already has 1.5m accounts enrolled and will be prompting more people to join.
Paying the Bills
Risky Business has launched something new: product demos that we're publishing to YouTube. This new sponsorship product will help us fund this newsletter and make it sustainable, so if you happen to subscribe to our new product demo page on YouTube we sure would appreciate it. We've published two demos this week. The first is with Remediant co-founder Paul Lanzi showing off their network-based (read: "actually deployable") PAM solution. The second is with Ryan Noon of Material Security. They make a product that secures and redacts email at rest, but it has a lot of other features too.
Shorts
Well… That Explains a few Things
It's been confirmed that NSO Group malware was used against US State Department employees in Uganda or focussed on Ugandan issues. At least some of those affected were US citizens. This explains how NSO Group ended up being added to a US export control list and the sudden dramatic reduction in the number of countries that Israeli cyber surveillance products can be exported to.
Join the Crypto Revolution! It's Safe, we Promise!
The money stolen in cryptocurrency thefts in the last week alone is eye watering:
Cryptocurrency exchange BitMart lost USD$150m after hot wallet private keys were possibly stolen.
Decentralised finance platform BadgerDAO lost USD$120m apparently via malicious javascript inserted into its website.
MonoX Finance lost USD$31m because of a smart contract bug that allowed attackers to inflate the price of their tokens before cashing out.
BadgerDAO has asked the hacker to return the funds.
Cryptocurrencies are meant to be immutable and don't usually have protections that can unwind fraudulent transactions, but sometimes practicality overcomes principles. In 2016 The DAO was hacked and USD$60m stolen, which seems 'normal' nowadays but was shocking back then. The Ethereum community decided to wind back the clock and pretend it never happened. Awkward.
It is just a comically terrible idea to couple irreversible financial transactions with software. People don't write perfect software and won't start any time soon. Coupling insecurity with immutability is the exact opposite of defence in depth.
On the other hand, perhaps this is what is needed to save us from ransomware… an easier and even more lucrative crime?
Bears Learn New Tricks
A Mandiant report on suspected Russian actors details how the attackers are deploying new TTPs and are adept at compromising service providers to swim downstream (and laterally) to reach their intended targets. Some of the interesting techniques include:
Buying access from third parties operating info-stealer malware.
Using residential IP proxies in the right country to look like real users.
Launching attacks from Azure infrastructure located nearby legitimate services to fall within acceptable IP address ranges.
Downloading networking device disk images and analysing them to identify valid network paths to target customers.
The group also engaged in pretty good opsec and compromised accounts were compartmented by function to limit the scope of detection when individual activity was discovered. For initial access, however, when it had nothing to lose, the group wasn't afraid of being noisy. If it had valid credentials the group would spam multiple push notification MFA requests to the legitimate user until they accepted the request.
A Repo of Fail
Scott Piper at Summit Route is keeping a list of Cloud Service Provider security mistakes. His rationale is "Although I believe using cloud providers is often a much better decision than self-hosting, it's important to hold them accountable by recognizing their security mistakes."
APT Crews Face new Challenge: Trademark Law
Microsoft has successfully obtained a court order to seize 42 malicious domains used by a Chinese APT group it calls Nickel. This is the 24th time that Microsoft has used court orders to seize domains and the fifth time from state-backed hackers. Curiously, part of the legal justification is trademark law, the logic being that hacking converts Windows "into a tool to steal credentials and sensitive information from the user. This inherently involves abuse of Microsoft’s trademarks and brands, and deceives users by presenting an unauthorised, modified version of Windows to those users".
Google has also launched legal action against two Russians for operating the Glupteba botnet. Glupteba steals user credentials and data, mines cryptocurrency on infected hosts and proxies internet traffic. Glupteba also uses the Bitcoin blockchain for resilience. C2 server locations are published to the blockchain in transactions from specific addresses. If Glupteba's C2 comms are disrupted it will search the blockchain to identify a replacement C2 server.
We're Shocked That USB-Over-Ethernet Library Has Bugs. Shocked.
SentinelLabs discovered vulnerabilities in the Eltime USB-over-Ethernet library used in cloud desktop solutions such as Amazon Workspaces could be used to escalate privileges in both the end user client and also the cloud service. Security updates have been released but some require customer actions.
Road '.to' Hell is Paved by SQLi
The Tonga country code top-level domain registrar had an SQL injection vulnerability in its website that would have allowed attackers to control the DNS settings of any '.to' domain. This could've been catastrophic as '.to' domains are used in quite a few link shorteners such as Amazon (amzn.to), Uber (ubr.to), and Verizon (vz.to) and also for the Tether stablecoin official website (tether.to).
No Deal on Cyber Incident Reporting
It looks like US legislation mandating cyber security incident reporting is dead, at least for now.