Srsly Risky Biz: Tuesday, October 27
CISA, FBI go public over Russian intrusions, Triton malware authors and Iran's disinfo operators sanctioned, German intelligence agencies queue up to hack messaging apps
Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.
CISA, FBI roll the dice on transparency
The FBI and CISA are taking measured steps to control the narrative around interference in the US election, going public this week with a detailed account of recent US intrusions by a Russian espionage actor.
As forecast in last week's newsletter (see "Recent US Government intrusions had a Russian energy about them"), attacks now attributed to Energetic/Berserk Bear (aka DragonFly) were described in impressive detail in a CISA advisory that offers defenders a trove of indicators to work with.
The Russian APT has targeted "dozens" of assets on state and local governments and aviation-related networks since September 2020, the advisory noted, and the FBI is aware of two occasions when it exfiltrated data from targets. While the activity poses a risk to election security in theory, the agencies stressed that there is "no evidence to date that integrity of election data has been compromised".
At this point, we don't know Russia's intentions. This could be routine espionage, it could be a contingency for an unpredictable few months ahead, it could be a "perception hack". Andy Greenburg at Wired makes the case that Russia is simply signalling its capabilities. We’re not so sure.
The decision to publish would have been daunting for US officials. But as threat analyst Alex Orleans posits, the detailed disclosure provided the FBI and CISA "a strong opportunity to set the narrative and potentially engage in some meaningful inoculation of the general public against misunderstanding, manipulation, and panic." While a few non-specialist news journalists seized on the election security angle and overstated its impact, the story hasn't (yet) spun out of control.
Russian authors of 'Triton' ICS malware sanctioned
The US has imposed trade sanctions on Russia's Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), accusing it of developing the extremely dangerous Triton/Trisis ICS malware.
The malware was designed to interfere with Schneider Electric's Triconex safety systems and was used to attack Saudi Arabia's Petro Rabigh oil refinery in mid-2017. On three occasions it triggered conditions that temporarily shut the refinery down. But it could have been a lot worse: Triton/Trisis is malware designed to make things go bang.
In the case of the Petro Rabigh incident, the deployment of this malware was the "final step in a long-term, multi-stage intrusion" in which attackers obtained pervasive access to the plant's control and safety systems, according to an analysis by threat hunter Joe Slowik (see page 13 of this pdf). Access to both sets of systems gave the attackers the ability to create dangerous operating conditions and to silently modify safety systems to maximise the impact of a destructive event.
In 2019, Dragos revealed these attackers -- who it dubbed Xenotime -- had conducted reconnaissance against at least 20 systems in the US power grid dating back to mid-2018.
The US Treasury says it imposed these sanctions on the basis that numerous Russian entities continue to conduct "malicious and dangerous cyber-enabled activities", citing attacks against Ukraine and Georgia as examples.
Iranian front company sanctioned over US voter intimidation campaign
Email recipients in Alaska, Arizona and Florida were threatened with harm if they didn't "change their party affiliation" and vote for Donald Trump in the upcoming election. Some of the emails, which were spoofed from a domain name associated with the American neo-fascist group The Proud Boys, linked to a disinformation video that showed a “hacker” accessing and modifying voting data to produce a fraudulent ballot. The video was quickly debunked.
The first spam run spoofed the officialproudboys[.]com domain, which became vulnerable to forgery from October 8 when the site was kicked off its hosting platform. The attackers used a PHPmailer script hosted on the web site of a (likely compromised) Saudi insurance company, according to an analysis by Proofpoint. A second spam run a day later used the proudboysusa[.]com domain, and was sent to ~1500 recipients using the website of an Estonian textbook publisher. We aren't sure how the attackers accessed voter registration data to build target lists: some initial reports suggested voter registration data had been "hacked," but the data can be purchased by the public and is often mirrored on web sites or collated for resale online.
The clues that ultimately identified who was responsible came from the aforementioned video, according to an exclusive story by Reuters' Chris Bing and Jack Stubbs. Despite the attackers' efforts to blur and obfuscate the commands used in the faux hacking attack, you could still see file paths, file names and an IP address traced to previous Iranian activity if you slowed the film down.
Before they could say "death to America", US Treasury officials had announced sanctions against Bayan Rasaneh Gostar Institute, a front company for Iran's intelligence services, and fresh sanctions against the Islamic Revolutionary Guard Corps (IRGC), the IRGC-Qods Force (IRGC-QF) and two media companies -- The Iranian Islamic Radio and Television Union (IRTVU) and International Union of Virtual Media (IUVM) -- which were accused of being owned or controlled by the Qods force.
A caveat now: Treasury's sanctions announcement made no mention of the voter intimidation campaign. However, Ellen Nakashima at The Washington Post has sources that claim the Bayan Rasaneh Gostar Institute was directly involved in the attacks. Nakashima also notes that a larger concern to US authorities is that Russian actors have also accessed voter registration information, but haven't yet acted on it.
The US intelligence community assesses that the campaign was designed to "sow chaos and undermine confidence in American democracy".
Microsoft lays speed bumps for OAuth phishing
Microsoft is asking Azure app developers to jump through a few extra hoops in an attempt to ward off a spate of OAuth phishing attacks against Microsoft 365 (nee Office365) customers.
What's that got to do with OAuth phishing? Attackers that try to access a victim's 365 account using rogue apps will need to go through this verification process to have much chance of success. That provides Microsoft more opportunity to weed out malicious apps: whether via suspicious information supplied when the developer joins the Partner Network, evidence of spoofed domains or maybe even some device information fingerprinted via Azure MFA.
Nonetheless, a motivated attacker could spoof/bluff their way through many of these checks. And Microsoft, so far as we can tell, is not vetting any of this information for accuracy.
Indeed, Microsoft also doesn't verify information publishers provide to achieve the next tier of security and privacy compliance: an annual Publisher Attestation. Apps that apply for Microsoft's highest tier of compliance (Microsoft 365 Certification) are vetted by third party assessors, but so far that's only available for apps that integrate with Microsoft Teams, not for apps that integrate with Outlook. Microsoft hasn't provided an ETA on Outlook just yet.
So in effect, Microsoft's changes just introduce a little friction for attackers that care whether they get caught.
For SysAdmins, meanwhile, Microsoft has introduced a middle-ground between configurations that prevent users from integrating whatever apps they want, and configurations that require them to manage hundreds of manual consent requests. There is now a third option, in which users are free to use apps that ask for fairly benign permissions without involving admins, but can't if the app asks for riskier permissions (like say, read/write access to your inbox). Requests for these riskier apps are automatically routed through to the admin's inbox. Microsoft has been "tested it in prod" since at least early September.
Microsoft should be applauded for introducing some of the changes Risky Business begged for in June and July (see "Even BEC Scammers are using OAuth phishing"). But we're not yet convinced these steps represent a genuine effort to take responsibility for vetting the apps on its platform. In the absence of vetting, adding code-signing fairy dust doesn’t really achieve much.
German intelligence agencies queue up to hack messaging apps
Germany's Federal Cabinet has approved laws that would allow its foreign and domestic intelligence services to hack user devices to tap communications sent via encrypted messaging apps.
Since 2009, Germany's domestic law enforcement agencies have been authorised to intercept communications of people suspected of serious offences, using covert access to data stored on their laptops and phones. While federal agencies are coy about how this access is acquired, the only publicly-known technique is to infect a target's device with malware.
The scope of these "Source TKÜ" ("source telecommunications interception") orders has been relatively tight. It could only authorise the recording of communications immediately prior to a message being encrypted and sent, such that it provides the same visibility available via a conventional wiretap, and nothing more.
(Collecting historical data from a device required use of a separate legal instrument, an 'online search' order, which was authorised for a more narrow set of offences. But both involve infecting a suspect's device with malware and open up possibilities for overreach.)
Under the proposed amendments to several German laws, the country's foreign intelligence service (the BND), its domestic Military Counterintelligence Service and its 17 domestic intelligence services (the Office for the Protection of the Constitution and the secret services of Germany's 16 sovereign states) would also be able to seek authorisations for source interception against a target. But rather than apply for them through a court, intelligence agencies would continue to seek ministerial authorisation, with oversight provided by a Bundestag-appointed panel called the G10 Commission.
A June 2020 draft also amended German law to:
Require Germany's telecommunications providers to help facilitate device hacking, just as they would in a regular wiretap. The bill wasn't prescriptive about how: we figure the ISP might redirect certain web requests to a malicious webpage to facilitate the download of government trojans. It's not entirely unheard of.
Broaden the scope of what data could be collected: Today, law enforcement can only use the malware to intercept ongoing communications from the time access to the target device is established (again, to be equivalent to standard telecommunications intercepts). The amendments provide permission to collect stored messages sent and received from the date the activity was authorised.
Remove constitutional protections that required the target of a "source interception" be linked to an organised crime or terrorist group. So it could, in future, also be used to hack the devices of persons suspected of planning "lone wolf" operations, like the right-wing terrorists that went on shooting sprees in Halle in 2019 or Hanau in early 2020.
The new draft approved by Germany's Federal Cabinet hasn’t been published yet, but it is nonetheless expected to be introduced to the Bundestag (German parliament) later this week. It's likely to pass the parliament and be challenged by civil liberties groups in the courts.
Dr. Sven Herpig, cybersecurity policy director at thinktank SNV told Risky Biz that 'source interception' was originally a capability reserved for use in very serious crimes (terrorism, risk of harm to life), before a long list of white collar and other crimes were added in 2017.
He believes that numerous examples of intelligence failures in Germany are rooted in poor collaboration and coordination, not a lack of visibility. "There is no empirical data that supports the claim that the intelligence agencies need these powers," he said.
The Risky Business take is that the current G10 Commission, which struggles to provide effective oversight of traditional intercepts, is about to get very, very busy, and probably needs a restructure and more resources.
EU sanctions GRU kingpin over Bundestag hack
Staying with Germany, the European Union has imposed sanctions on a senior GRU official and a GRU hacker accused of conducting the 2015 cyber attack on the Bundestag.
The EU imposed an asset freeze and travel ban on Igor Kostyukov, the First Deputy Head of the GRU and commander of Military Unit 26165 (aka APT28, Fancy Bear, Sofacy). Kostyukov was already the subject of EU sanctions over the poisoning of Sergei and Yulia Skripal in Salisbury, UK.
The EU also sanctioned Military Unit 26165 as an entity and GRU operator Dmitry Badin as an individual. Badin has already been formally charged by German authorities for his role in the Bundestag attack.
As Stefan Soesanto at ETH Zurich pointed out in Lawfare in late June, sanctioning an intelligence service and its operators for conducting espionage could readily ensnare dozens of countries, including EU governments.
Sweden bans Huawei over security concerns
Swedish telecoms regulator PTS has made its offer of 5G spectrum contingent on telcos removing all Huawei and ZTE equipment from networks before 2025, describing China as "one of the biggest threats against Sweden."
China promised retaliation: Swedish vendor Ericsson is among the few foreign suppliers with an install base in China (11% of China's 5G base stations, according to news reports). Ericsson probably has more potential upside from countries imposing bans on Huawei than what it might lose in China.
CyberBunker operators on trial
Prosecutors have laid out their case against eight operators of CyberBunker, a company accused of providing bulletproof hosting services from former NATO bunkers in the Netherlands (since 1995) and Germany (since 2013). CyberBunker hosted anything and everything and didn't ask a lot of questions.
The public prosecutor has sorted through two petabytes of seized data for close to a year to bring the case to trial, which for pragmatic reasons is mostly focused on the company's hosting of illicit marketplaces like Wall Street Market. The court case is expected to last over a year. The New Yorker's July profile on the bunker's operators is a fascinating read, as is this long read in Der Spiegel.
Three reasons to actually be cheerful this week:
Do the right thing: FIRST has published a simple 12-point list of ethical considerations every incident responder should consider as part of their work. It's a handy resource for training or onboarding new starters.
No excuses for poxy stock photos: The Hewlett Foundation ran a competition to come up with more artful and insightful ways to communicate cyber security issues, and they're giving away the resulting images under Creative Commons licensing.
Snowden gets permanent residency in Russia
British Airways fined €20m over data breach
The UK Information Commissioner's Office fined British Airways €20m in response to a 2018 Magecart-style attack that impacted 400,000 customers. The fine was initially expected to be €183m: the regulator took the economic impact of COVID-19 on airlines into consideration.
DRL COVID-19 vaccine trials interrupted
Indian pharmaceutical manufacturer Dr. Reddy's Laboratories (DRL) shut down its data centres briefly after falling victim to a cyber attack. According to one pharma industry publisher, manufacturing was also paused. DRL's network was infected within days of DRL receiving approvals to conduct Phase II and III trials of Russian-made COVID-19 vaccine, Sputnik V.
Another new low, powered by cryptocurrencies
Extortionists sent ransom notes to at least 200 clients of Vastaamo, a Finnish psychotherapy network, demanding ransom payments (around €500 worth of bitcoin) to delete sensitive files about their mental health, which had been stolen in attacks in 2018 and 2019. The perpetrator also tried to blackmail Vastaamo, demanding a 40 bitcoin (US$520k) ransom, and has already published notes from 300 therapist sessions online. The perp might want to keep their head down: history isn't kind to folks that underestimate the Finns.
Telenor Norway brushes off DDoS
Norway's incumbent telco was hit with 400GB of DDoS traffic for three hours on October 12, alongside a demand for 20 bitcoins (US$260k) by October 19. The telco didn't pay, and suffered no further consequences. It follows a similar pattern of activity across Europe since at least early September.
Ransomware attacks on US counties
There are reports of recent ransomware attacks in Hall County, Georgia, in Louisiana and Washington State. These attacks look like bog standard, profit-motivated stuff to us, but hey, we’re not the New York Times. ZING.
These attacks are not expected to affect the election process.
Bookmark these long reads
ICYMI, the NSA's list [pdf] of the Top 25 vulnerabilities currently being exploited by Chinese APTs is a must-read, as is this neat summary of the 'Hunter Biden scandal' by active measures guru Thomas Rid.