TikTok Risks Are Compounded By Its Success
PLUS: Spyware Executive Order Is on the Money
Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.
Fears that TikTok will be used for PRC influence operations are growing in concert with the app's influence and success, and they won't be easy to mitigate.
Last week FBI director Christopher Wray told a US House Homeland Security Committee hearing that the FBI had national security concerns about TikTok, including the potential for it to be used to collect data on US users and concerns about how its recommendation algorithm could be used in influence operations. In a first, Wray also expressed concerns the TikTok app could grant the Chinese company the “opportunity to potentially technically compromise personal devices".
There are legitimate reasons to be concerned about the platform. Last month Forbes reported that TikTok's China-based parent company ByteDance planned to use the app to monitor the location of specific US citizens without their knowledge or consent. This monitoring effort was allegedly led by Bytedance's Internal Audit and Risk Control department, the team that investigates potential misconduct by current and former employees. Forbes alleges that in at least two cases "the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company".
It's hard to know what to make of this report as it's light on details and it's not even clear that the monitoring even took place. But perhaps the most concerning aspect of the Forbes article was that TikTok didn't explicitly deny the allegation and instead issued a "non-denial denial". Yikes.
Then there are concerns apps like TikTok could be used to harvest citizen data in bulk. In June we covered TikTok's efforts to mitigate these concerns by securing user data in US-based Oracle data centres before – the company's so-called "Project Texas" — and our take was that isolating US user data will be hard.
Then again, the US data ecosystem is such a free-for-all that taking advantage of TikTok's data probably wouldn't get the PRC anything it can't get already. There are tens, potentially hundreds, of Chinese analytics companies that have code in the background of many of today’s mobile applications. The Chinese government doesn’t need TikTok’s data.
The company is trying to allay concerns about user data access, and it will at least have some success there. However, it's in a real bind when it comes to influence operations. Proving that the platform is resistant to political manipulation will be extremely difficult.
Ultimately, the more successful TikTok is the greater the national security risk it will pose in the minds of US lawmakers, especially given doubts that its recommendation algorithm can be effectively audited. The app is already demonstrating real world influence, and it's growing.
Fergus Ryan, a senior analyst at the Australian Strategic Policy Institute and the author of several reports on TikTok, Chinese censorship and propaganda told Seriously Risky Business that TikTok is not just mirroring societal trends but is "creating things".
"This is not a crazy idea," he says. "It's been true of every other social media platform so why wouldn't it be true of TikTok, especially as it is eating into the market share of all these other social media platforms?"
Ryan pointed to TikTok as a factor in the success of the Hollywood movie Minions: The Rise of Gru, telling Seriously Risky Business the movie was totally "a TikTok phenomenon".
At time of writing the movie had taken USD$937m in box office, with the #minions hashtag eclipsing 17bn views on TikTok.
Last week, the Department of Justice announced that two Russian nationals had been arrested for running a large ebook piracy website, Z-library. TikTok was at least partially responsible for the popularity of Z-library. In a letter to the Office of the US Trade Representative addressing piracy, The Authors Guild included a statement from 'a group of romance writers' that specifically addressed the impact of TikTok:
As a group, 2021 saw an aggressive wave of piracy, particularly via Zlibrary [sic]. Zlibrary has been a problem for years. But what made 2021 particularly bad was that TikTok behaved like jet fuel on the flames. Every month saw a new TikTok video along the lines of: "Never pay for another book! Find them here on Zlibrary." And these videos saw hundreds of thousands of views. In the past, we could at least serve Google a search term takedown, which meant that anyone searching "download TITLE by author" might not find Zlibrary. But with TikTok acting as Zlibrary’s free and constant billboard, we have completely lost control of the conversation.
Given that TikTok's inner workings are opaque to users and creators, it is impossible from the outside to know if topics are being secretly boosted or suppressed. Oracle is reportedly auditing TikTok's algorithms to ensure they aren't being manipulated by Chinese authorities. This can only inspire so much confidence — the observability of machine learning-based systems is notoriously fraught.
We think TikTok knows it has exposure here. When it posts about its growing influence it focuses on creators, culture, music, entertainment, and brands. This makes sense, but we can't help wondering if it's deliberately avoiding any mention of 'town squares' and 'public discourse', both terms that are regularly associated with other forms of social media.
Summing up, we think lawmakers need to keep their eye on the ball here and worry about TikTok's political and cultural influence – and its susceptibility to manipulation — more than the risks it may pose to device and user data security.
Looming Executive Order on Spyware Is on the Money
The report is based on a letter that CyberScoop obtained that was sent from the Departments of State and Commerce to members of the US House Intelligence Committee. The letter states the Administration is preparing an Executive Order that will prohibit US government use of commercial spyware that"poses counterintelligence or security risks to the United States or risks of being used improperly".
This leaves open the possibility that the government will use spyware products that are being used "properly" elsewhere, and don't pose a counterintelligence or security risk. In other words, it's a carrot-and-stick approach to foreign spyware vendors — behave responsibly and US government contracts are at least a possibility, behave badly and get sanctioned instead.
Reassuringly, the letter shows that these departments are thinking clearly about exactly what aspects of commercial spyware are problematic. After summarising the US government's plan of action, the letter spells out the specific issues that these actions are intended to address:
Taken together, these efforts aim to reduce the proliferation and improper use of new technological tools to facilitate repression and human rights abuses, mitigate the counterintelligence threats these tools can pose to the U.S. Government, ensure that U.S. companies and former U.S. Government personnel are not facilitating authoritarian or repressive practices abroad, and provide tools to Americans and others around the world to improve their digital security.
There is justified outrage and concern among politicians in Europe and the US at the abuse of commercial spyware. This can result in a haphazard approach where some proposed regulation is positively counterproductive (The Grugq and this author discuss this issue in our latest Between Two Nerds podcast), so it is good to see some clear-eyed thinking on the issues here.
Three Reasons to be Cheerful this Week:
Limiting Cobalt Strike Abuse: Google has released a set of open-source detection rules to find versions of Cobalt Strike that are being misused by malicious actors . Cobalt Strike is a legitimate commercial penetration testing tool that is often abused by malicious actors. Cobalt Strike sales are vetted by its vendor, so bad actors tend to use leaked or cracked versions which are harder to update and are typically at least one release version behind. By developing detection signatures for older versions Google hopes to make Cobalt Strike harder to misuse and "move the tool back to the domain of legitimate red teams".
A really comprehensive Ukraine invasion cyber timeline: The National Security Archive at George Washington University has updated its extremely comprehensive timeline (140+ pages so far) of the cyber-related aspects of the war in Ukraine at its Ukraine Cyber Project. It's not just numbers and dates and also includes brief summaries of articles, events and incidents. A fantastic resource.
Zeppelin ransomware flaw exploited to help victims for years: Unit 221B, a New Jersey cyber security firm was able to recover Zeppelin encryption keys by taking advantage of a flaw in the three-step encryption system Zeppelin used. In one of the encryption steps the ransomware temporarily stored a relatively weak 512-bit RSA key in the Windows registry and by recovering the deleted key and cracking it Unit 221B was able to extract per-file decryption keys. This process was used to help nearly two dozen victims recover from attacks without paying ransoms. Unit 221B revealed the flaw recently as the ransomware is no longer in use. More at Krebs On Security.
Proofpoint reports Emotet malware returned in early November after a four month hiatus. The group responsible is once again sending hundreds of thousands of malicious emails per day. Emotet has made some changes, including new payloads, lures and changes to Emotet modules, and Proofpoint speculate that Emotet might be under new management.
In this article, Proofpoint's VP of Threat Detection and Research, Sherrod DeGrippo, explains how recent Twitter verification changes have caused phishing attacks targeting Twitter users to spike.
Proofpoint has also released an entire e-book on securing Microsoft 365. Get it here.
Thanks for reading Seriously Risky Business! Subscribe for free to receive new posts and support my work.
When Fixes Don't Flow
Google's Project Zero found five exploitable vulnerabilities in the ARM Mali GPU driver used in a large number of Android devices, but despite contacting ARM and patching the flaws they remain exploitable as Android phone vendors haven't pushed the patches downstream.
When Public-Private Partnership Works
The Record's Click Here podcast has a good episode on the Cyber Defence Assistance Collaboration, the collective name for dozens of technology and security companies that volunteered assistance to help Ukraine defend itself against Russian cyber attacks.
The good news is that these partnerships definitely helped Ukrainian organisations repel Russian attacks — the podcast examines efforts to protect Ukrainian natural gas company Naftogaz as a case study. The bad news is that it took a terrible war to motivate action, but perhaps it's just the nature of public-private partnerships that it takes a serious crisis to align incentives and actions. Maybe in times of relative calm the goal of these partnerships should simply be to develop the structures that will enable real collaboration when the proverbial excrement hits the fan.
Offensive Approvals Are Alright
CyberScoop reports that a review of approval processes for US Cyber Command's offensive operations will result in a (slightly) revised version of National Security Presidential Memorandum-13 (NSPM-13), the Trump-era policy that loosened the reins on offensive operations.
Back in April we examined why NSPM-13 might need to be reviewed and the changes as reported all sound pretty sensible to us. The White House gets advance notice of operations, the State Department gets a bit more of a say, and there is a documented dispute resolution process.
Even better news is that Cyber Command's successes justified the relatively minimal changes to the policy. A senior administration official told CyberScoop "CyberCom has been able to notch a bunch of good wins, justifying the argument that having more flexibility, being able to move faster really does help operations".
Ransomware Dominates UK Government Crisis Meetings
Ransomware attacks comprise the majority of the British government's crisis management or "Cobra" meetings, according to a report in The Record.
The Record's article highlights the lack of ministerial interest in ransomware and points out that "the need to regularly hold cross-departmental meetings reveals how little progress Westminster has made to address the risks ransomware poses to the country".
This is a stark contrast to the approach of Clare O'Neal, the Australian Minister for Cyber Security, who has led a strong Australian whole-of-government response after recent nationally significant breaches, including the announcement of a standing anti-ransomware disruption task force.
We'll have to see if this approach works, but it is interesting to see a post on a Russian cybercrime forum concerned that the "Australian market" for ransomware has been killed.
This Newsletter is Also a Podcast
In addition to a podcast version of this newsletter (last edition is here), the Risky Biz News feed (RSS, iTunes or Spotify) also publishes news bulletins and the "Between Two Nerds" podcast. In last week's discussion Tom Uren and The Grugq examined a recent European Parliament inquiry into the use of Pegasus and similar spyware. The report contains an interesting overview of the European spyware market but makes some recommendations that are not just ineffective but positively counterproductive — they’ll actually make the world a less safe place.
From Risky Biz News:
Cyber Partisans hack and disrupt Kremlin censor: Belarusian hacktivist group Cyber Partisans has hacked the Russian General Radio Frequency Center (GRFC), a smaller sub-agency that's part of the Roskomnadzor, the Russian government's telecommunications watchdog.
In Telegram and Twitter posts, the Cyber Partisans said they gained access to the agency's internal network, from where they stole more than 2TB of emails and documents before trashing its domain controller and encrypting local workstations. (continued)
Italy tracks and redirects entire ISP traffic: Italian police said they tracked and redirected the internet traffic from all internet service providers in order to identify people who subscribed to a pirate IPTV service. Cool, but maybe they can use the same "capability" next time to detect Italian systems connecting to known malware C2—and be actually useful to their citizens.
Conti off-shoots: Equinix security researcher William Thomas has a report on how members of the former Conti gang have scattered across the malware ecosystem since disbanding in early 2022.
The members of Conti have continued attacks, but seemingly under several different names, including Quantum, Royal, and Black Basta (also highlighted by Vitali Kremez here). Campaigns previously attributed to Conti such as Karakurt and Diavol have also continued in 2022 since the leaks. These new data-theft-extortion ransomware campaigns, though, have been supported by malware other than Trickbot and BazarLoader, this includes the new BumbleBee malware, as well as three malware botnets previously associated with Conti attacks: IcedID, Qakbot, and Emotet.