Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Island.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
The National Security Agency (NSA) has been embroiled in a US Senator's campaign against intelligence agencies' purchase and use of data obtained illegally by data brokers.
US Senator Ron Wyden, a member of the US Senate Select Committee on Intelligence, is pushing to stop US intelligence agencies buying Americans' personal data obtained illegally by data brokers.
Wyden announced the push in a recent press release in which he announced the release of letters saying the NSA was buying 'internet records' that could reveal what websites Americans visited and the apps they used.
It then segues into a call for the administration to stop agencies buying personal data obtained illegally by brokers. Recent Federal Trade Commission (FTC) actions indicate that data brokers are sometimes not obtaining informed consent from people whose data they capture, implying that their products are illegal.
General Paul Nakasone, Director of the NSA, explained the NSA’s data purchase regime in a letter to Wyden, linked to from the Senator’s press release.
In our view, the NSA's regime is defensible and Wyden would be better off focusing on other targets.
Nakasone admits that the NSA buys what he referred to as ‘CAI’ or commercially available information. However, he details the steps that NSA takes to make sure that the CAI it buys is valuable to its intelligence and/or cyber security missions, is lawfully acquired, that information about US persons is minimised, and that purchase of CAI is regularly reassessed for value rather than purchased on autopilot.
The NSA is also buying data that is filtered to focus on malicious activity, rather than providing a full picture of Americans' movements and actions. That data is aggregated from network operators and ISPs, rather than collected directly from individuals under potentially misleading terms and conditions.
Nakasone was at pains to make it clear that NSA did not purchase the types of location data that have been the subject of the recent FTC actions. He wrote:
NSA does not buy and use location data collected from phones known to be used in the United States either with or without a court order. Similarly, NSA does not buy and use location data collected from automobile telematics systems from vehicles known to be located in the United States.
This is good news, because the sale of people's location data is an extremely concerning practice. Geolocation data brokers claim their data is anonymous, but they typically use device identifiers that are stable over time. This means that devices can be correlated to individuals by looking at travel patterns, such as journeys between home and work addresses, for example.
Once a link between a device and a person is established, this identifier can then be used to unravel a person's location history, including sites they might consider sensitive. We've previously covered the use of this type of data to harass a person before and government purchases of this kind of data are problematic.
The NSA does, Nakasone explains, "buy and use commercially available netflow (i.e. non-content) data related to wholly domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad."
Netflow is comprehensive summary data that captures how traffic flows across the internet and can hint at the type of data being sent.
We have previously covered the steps commercial vendors of netflow take to mitigate privacy risks. Unlike 'protections' applied by geolocation data brokers, these are meaningful mitigations. For example, the data involved isn't comprehensive, but is instead filtered when it is ingested for flows that are known or suspected to be malicious.
Netflow records have legitimate cyber security uses too:
If the aggregated data covers a particular cyber security incident, researchers can drill down to see what traffic was occurring at a particular point in time. Joe Slowik, Principal Security Engineer at Gigamon [Ed: now at Mitre], says netflow "can be exceptionally valuable in monitoring [command and control] C2 channels to go from victim-facing C2 nodes to actual adversary infrastructure. It can also serve as ground-truth data for exfiltration activity."
We would be surprised if some US government agencies had not purchased and used data obtained illegally by data brokers. But we don’t believe the NSA’s use of netflow falls into this category.
Microsoft's Dark Winter Gets Colder
Microsoft's Midnight Blizzard breach just keeps getting worse. The compromise, which we wrote about last week, took advantage of a string of security failures from Microsoft, but at the time, the attack appeared to be restricted to Microsoft itself.
The company's post announcing the incident said the Russian hackers had "access[ed] a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions".
However, last Thursday, a follow-up announcement said that the vendor had since learnt that "the same actor has been targeting other organisations and, as part of our usual notification processes, we have begun notifying these targeted organisations".
In the same announcement, Microsoft also provided more information about the techniques used in the attack. This included more detail about initial access using a password spray (attempting to access a large number of accounts with a small number of popular passwords), creating a highly privileged OAuth application, and the use of residential proxies to obfuscate connections to command and control servers.
There is some careful wording here. The post doesn't necessarily imply Midnight Blizzard had been successful attacking other organisations, or that it was able to take advantage of the same Microsoft SNAFU in these other attacks. However, on yesterday's Risky Business podcast Patrick Gray said that multiple sources were saying that the "number of victims of this particular set of TTPs was in the triple digits". (Other journalists are hearing the same thing.)
One organisation has already fessed up to being impacted by the same actor. Last week, Hewlett Packard Enterprise (HPE) filed its own SEC disclosure statement saying Midnight Blizzard had popped its cloud-based email environment (Microsoft Office 365) beginning around May last year.
In its latest post on the incident, Microsoft says these were all mistakes of the past and that its security has improved since then:
If the same team were to deploy the legacy tenant today [Ed: a legacy tenant was patient zero in this attack], mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled to comply with current policies and guidance, resulting in better protection against these sorts of attacks.
That's so good! It's only all of Microsoft's previous customers that have to worry. What a relief!
Election Disinformation Continues to Evolve
A report from the Australian Strategic Policy Institute, released shortly after the Taiwan election, provides a first glimpse at the PRC's evolving cyber-enabled interference tactics.
This newsletter's last edition of 2023 examined election interference and pointed to the Taiwanese election as one to watch. The PRC has a strong preference for the opposition Kuomintang Party, which favours closer ties with the mainland, as compared to the incumbent pro-independence Democratic Progressive Party (DPP). It also feels free to engage in various different types of election interference.
Prior to the election, for example, the PRC had used 'friendship tours' to cultivate Taiwanese politicians, used economic coercion and even threatened military action. Cyber-enabled interference is just one arrow in the quiver.
The election was held on January 13 and was a win for the incumbent DPP. The report was released just five days later and — beyond now-standard spammy inauthentic social networks — shows increasing use of both AI technologies and 'leaking' of falsified information.
The report notes that generative AI technologies were used to create avatars and also content, including what appears to be a virtual presenter or 'speaking portrait' the report says was created by US-based company D-ID.
There are also attempts to provide what look to be forged documents with authenticity by distributing them as 'leaks' on sites such as BreachForums. The report documents both an alleged leak of Taiwanese government documents and also a fake DNA test that purported to show that the Taiwanese Vice-President had an illegitimate child were both posted to BreachForums. These posts were then amplified by inauthentic looking accounts on X, Facebook, YouTube and on other online forums.
This contrasts with the US 2016 Presidential election. In that election, Russian operatives stole genuine emails from various parts of the Democratic party, and the impact of subsequent leaks of this material were amplified by the reporting of mainstream media.
In this Taiwanese election, the leaks weren't genuine and the mainstream media didn't amplify them. Perhaps, to some degree, Taiwanese society is even inoculated to this kind of interference. The government has raised awareness of the problem and there are many civil society organisations that counter disinformation.
So, despite the PRC's evolving efforts, the report assesses that these efforts had "minimal impact on the integrity of election results".
Three Reasons to Be Cheerful This Week:
Prolific swatter arrested: US law enforcement officers have reportedly arrested the country's most prolific swatter, a 17-year-old from California known as 'Torswats'.
Scattered Spider Arrest: Krebs on Security reports that a Florida man arrested for SIM-swapping and related crimes, Noah Michael Urban, is a key suspect in the string of Scattered Spider aka Oktapus hacks. These incidents affected a swathe of high profile US technology companies during 2022.
US disables Chinese hacking infrastructure: The US has launched an operation to disable a botnet used by Chinese espionage groups, according to Reuters. Per Reuters, the government "sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign". We wonder if this is a lot of disabling, or just a little? Just a few weeks ago we wrote about the 'KV botnet', a botnet made up mostly of end-of-life devices and used by PRC cyber actors, including Volt Typhoon, a group that is worrying because of its apparent intentions to disrupt critical infrastructure in the event of military conflict.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Bradon Rogers, Chief Customer Officer at enterprise browser Island, on how a modern enterprise browser solution like Island can be used to replace, complement, or enhance some enterprise security tools or technology stacks.
Shorts
SolarWinds Hits Back Against the SEC
US company SolarWinds has filed a motion to dismiss the Securities and Exchange Commission's (SEC) complaint against the company and its CISO, Tim Brown.
SolarWinds and some of its customers were compromised in a 2020 supply chain breach by Russian state-backed hackers.
The crux of the SEC's case is that SolarWinds and Brown defrauded investors by "overstating SolarWinds' cyber security practices and understating or failing to disclose known risks". In its dismissal motion, SolarWinds argues it made "repeated warnings" about its vulnerability to "the pervasive risk of cybersecurity attacks". And it also says that after it discovered it had been compromised it promptly disclosed the attack.
We have some sympathy for SolarWinds position here, and sincerely doubt that investors care all that much about cyber security risk. It can cause serious disruption, but most of the time these ructions are short-term and don't seem to much affect the long-term value of a company.
However, part of the SEC's argument was that SolarWinds' disclosures were "boilerplate" and only contained "generic and hypothetical risks that most companies face". So although SolarWinds repeatedly warned of cyber security risks, those warnings were effectively meaningless.
Companies may as well just say "we are a modern company, cyber security in general is difficult and we could get massively pwned and rekt at any time" and be just as accurate. That can't be right either.
More on Ermakov
Krebs on Security wraps up what is known about Aleksander Ermakov, the alleged Russian cyber criminal who was sanctioned by the Australian, US and UK governments last week.
NSO Still Not Dead
NSO appears to be trying to rehabilitate its image and has issued a new transparency report. Wired wraps up the various lobbying efforts the firm is making including providing help to Israeli security services in the Israel-Hamas war.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how the war in Ukraine is showing how useful mobile devices are in war. Using them is risky, but those risks need to be managed. This episode refers to this report on location tracking of phones on the battlefield..
From Risky Biz News:
GUR hack in Russia: One of Ukraine's military intelligence agencies says it hacked and wiped servers at IPL Consulting, a Russian company that provides IT services for Russia's industrial sector. Officials from Ukraine's Defence Intelligence Main Directorate (GUR) say they wiped more than 60TB of data from dozens of servers and databases. GUR officials say they also worked with a group of "unknown cyber volunteers in Russia" to cripple the infrastructure of Akado-Telekom, an ISP used by the Putin administration, the FSB, the FSO, the Moscow local administration, and Sberbank.
DOJ and FTC tell companies to stop deleting chats: Federal investigators are warning companies not to delete chats and preserve conversations that have taken place via business collaboration and ephemeral messaging platforms.
In press releases on Friday, the US Department of Justice and the US Federal Trade Commission announced that they updated the language in their preservation letters and specifications—documents they send to companies under federal investigations.
The new language updates evidence preservation procedures to cover modern tech stacks such as Slack, Microsoft Teams, and Signal.
[more on Risky Business News, including reports of Amazon and Google executives using auto-deleting messages when faced with anti-trust lawsuits]
Brazil spyware scandal: Brazilian authorities have started an investigation against the country's former intelligence chief for organizing a mass surveillance campaign against the political rivals of former president Jair Bolsonaro. Brazilian Federal Police say they raided several homes owned by Alexandre Ramagen, the former head of ABIN, the country's intelligence agency. Officials say Ramagen created a "parallel structure" inside ABIN that targeted state governors, lawmakers, judges, and journalists. The ABIN unit allegedly used a spying tool named FirstMile, developed by Israeli company Cognyte. [Additional coverage in El Pais]