Kaspersky Finally Evicted From the US

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Devicie.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

‎Risky Business News: Srsly Risky Biz: Why the Optus breach was dumb on Apple Podcasts

‎Show Risky Business News, Ep Srsly Risky Biz: Why the Optus breach was dumb - 26 June 2024

Apple Podcasts

The US Government has decided to evict Russian cyber security company Kaspersky from the US market, announcing a ban on sales to US customers and applying financial sanctions to Kaspersky's senior leadership.

Last Thursday, the Commerce Department announced Kaspersky will be prohibited from selling to US customers from late July and that its operations in the country must stop by 29 September. 

This means no more codebase and anti-virus signature updates, so  current customers have just a short period to find alternatives.  

The Department also placed three Kaspersky entities on an export control register known as the Entity List, citing "their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives".

The US Treasury has also sanctioned a dozen of Kaspersky's executives and senior leadership team. Eugene Kaspersky, the company's co-founder and CEO, is notably absent from the sanctions list.   

The ban has been a long time coming. The Department of Commerce says Kaspersky’s products pose an "unacceptable risk" to US national security and cite the risk of subversion or sabotage of US critical infrastructure. 

In 2017 The New York Times reported an Israeli intelligence operation had found NSA documents and tools in Kaspersky's network that had been scooped up by the Russian company's software:

The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky's antivirus software was installed.

Sensationally, The New York Times claimed the Russian government had used Kaspersky as a kind of worldwide search engine, writing that "Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs". The Wall Street Journal also made this claim, sourcing it to "current and former US officials with knowledge of the matter". 

Barring claims of direct Russian government involvement, much of what The New York Times reported was confirmed by Kaspersky. The company admitted it had swept up hacking tools belonging to what it called the Equation Group:

Our product detected known Equation malware on a user's system. Later, on the same system, it also detected a non-Equation backdoor originating from a pirated copy of Microsoft Office, and a 7-Zip archive containing samples of previously unknown malware. After it detected them, our product sent the archive to our antivirus researchers for analysis. As it turned out, the archive contained malware source code that appeared to be related to the Equation Group, as well as several Word documents bearing classification markings.

Kaspersky's incident report says CEO Eugene Kaspersky ordered the source code be deleted and that the archive was not shared with any third parties. The incident also resulted in a new 'delete potentially classified material' policy at the company, the report says. 

Two people with links to NSA's hacking programs have since been convicted of taking classified material home. Nghia Pho, an NSA employee, was convicted in 2018 and contractor Harold 'Hal' Martin was convicted in 2019.  

The US Government banned Kaspersky products from its networks in 2017. Back then, it would have been easier to squeeze your eyes shut and argue that allowing Kaspersky on non-federal government US networks was an acceptable risk. These days, not so much.

Gavin Wilde, a Russia and cyber expert at the Carnegie Endowment, told Seriously Risky Business the balance of risk had shifted in recent years after Russia's invasion of Ukraine and engagement in higher profile European sabotage operations. 

Wilde also thought the discovery of Volt Typhoon, the Chinese actor that compromised US critical infrastructure in preparation for potential sabotage operations, had also shifted perceptions of risk. Given Russia and China's 'no-limits' relationship, having Russian security software protecting US critical infrastructures is a terrible idea.  

Wilde noted that the US intelligence community "has looked warily on Kaspersky since I started in government almost two decades ago" and Wilde described the ban as "at least a decade overdue". 

The Optus Breach Was as Dumb as We Thought

The Australian Communications and Media Authority (ACMA) says a 2022 data breach at Australia's second largest telecommunications provider Optus occurred because the company accidentally removed access controls from a long-disused API endpoint. 

This newsletter has previously described the breach as Australia's Equifax moment as it affected 9.5 million current and former Optus customers (about a third of Australia's population). 

ACMA says the 'target' API endpoint in question had not been used since 2017 and had originally been protected by access controls. These controls were removed in 2018 in what ACMA describes as a 'coding error'. 

It says Optus detected and fixed the same error in 2021 on a different endpoint it was actively using. Unfortunately, the same error was not detected or fixed on the dormant target endpoint, which was exploited by an attacker in 2022. 

ACMA says the breach "was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge of Optus' processes or systems. It was carried out through a simple process of trial and error".

US Car Dealerships Struck By Ransomware

A ransomware attack on software-as-a-service platform CDK Global has disrupted thousands of North American car dealerships over the last week. 

Several publicly listed companies have lodged filings with the US Securities and Exchange Commission indicating that they have been affected by the CDK Global incident. The SaaS provider claims it services close to 15,000 dealer locations. CDK Global suffered a second breach while attempting to recover from an initial ransomware attack and has also warned that customers are being approached by fraudsters posing as CDK agents in an attempt to gain system access. 

Bleeping Computer reports the relatively new Blacksuit ransomware group is responsible.  CDK Global is reportedly negotiating with the group, which is seeking tens of millions of dollars in ransom. 

These kinds of high-leverage victims (think Colonial Pipeline, Change Healthcare or Kaseya) are highly motivated to resolve incidents quickly because of the huge impact ransomware has on their customers. In other words, they are the best targets for ransomware crews because disruption causes extensive collateral damage.

From a policy perspective this is a reason to demand higher cyber security standards from these systemically important companies. The trick, of course, is to identify these types of companies before they are struck by ransomware and work with them to improve their security. 

Three Reasons to Be Cheerful This Week:

1. Safer Chrome extensions: Google has published a blog post describing its Chrome extension security measures, and how users can stay safer while using extensions. The company applies automated and human review and claims that "less than 1% of all installs from the Chrome Web Store were found to include malware". This seems like an odd flex... 1% seems insanely high to us. 
2. Ransomware victims resilience up, payments down: Insurance broker Marsh has found that only 23% of companies submitting claims paid ransom demands last year, a decline from previous years. This is very similar to figures provided by ransomware incident response firm Coveware, which found recently that 28% of victims paid a ransom. Meredith Schnur, managing director of Marsh’s US and Canada cyber practice, told Legal Dive that companies are "just more resilient than they were three, four, five years ago". 
3. Scattered Spider ringleader arrested: Krebs On Security reports the alleged ringleader of the Scattered Spider group has been arrested. This is good news, as this group has been responsible for a string of high-impact hacks. At the same time, Scattered Spider is more of a community than a group. What does it mean to be a ringleader?

Sponsor Section

Brought to you by Devicie. Be the first to hear about Devicie for MSP, the Intune hyper automation and management platform for modern device management at scale. Visit devicie.com/MSP

Shorts

A Succulent American Plea Deal

WikiLeaks founder Julian Assange is free after he pleaded guilty to espionage in a US court and was sentenced to time already served. Assange had served five years in Britain's Belmarsh prison. 

The presiding judge, Ramona Manglona, noted that Chelsea Manning, Assange's co-conspirator in the case, had served seven years in prison before her sentence was commuted. She described Assange's sentence as "very reasonable and proportionate to Ms Manning's actual prison time.

AI Bias Should Not Trump Privacy

The Record reports that removal of civil rights protections and algorithmic bias guardrails from the latest version of the American Privacy Rights Act (APRA) has 'incensed' advocates.

It's clear that the US needs improved privacy legislation but we don't think that algorithmic bias has yet proven to be a clear and present danger. 

This Machine Hunts Bugs, Poorly

Google's Project Zero has published a writeup of its efforts evaluating the use of Large Language Models (LLMs) for vulnerability research.

It appears that on their own LLMs are bad at vulnerability research, but if you give them some specialised tools they can perform some basic vulnerability research tasks.   

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how information about the use of cyber operations in Ukraine is incomplete. Rather than clarifying the role of cyber operations in conventional warfare there is still a lot of room for confirmation bias. 

‎Risky Business News: Between Two Nerds: The cyber Rorschach test on Apple Podcasts

‎Show Risky Business News, Ep Between Two Nerds: The cyber Rorschach test - 10 June 2024

Apple Podcasts

From Risky Biz News:

Russia wants its own CISA: The Russian government is holding private talks on establishing a dedicated cybersecurity agency, similar to the role CISA plays in the US.

Talks are in early stages but a RIA Novosti report suggests the initiative has support from Russia's private sector.

The Russian government has recently passed or started working on several cybersecurity-related initiatives.

These include larger fines for data breaches, mandatory incident reporting, legalising vulnerability research, and banning the use of Western software in critical infrastructure on the grounds of national security.

Currently, the enforcement of Russia's cybersecurity regulations fall on multiple agencies, such as the FSB, FSTEC, Roskomnadzor, the Ministry of Digital Affairs, and Russia's Central Bank.

Hacker-for-hire scandal: The California State Bar has accused a Los Angeles lawyer of trying to hire Israeli hackers to break into the emails of a judge and rival attorney. Michael Libman concocted the scheme with another lawyer named Paul Paradis after a judge cancelled a settlement in a class action lawsuit against the California Department of Water and Power. Another lawsuit found that Paradis had secretly represented both of the parties in the class action lawsuit. The judge cancelled the settlement and ordered Libman to return $1.65 million he received as attorney fees in the case. The California State Bar claims Libman and Paradis wanted to use a hacker to get the judge's emails hoping to find evidence to get the ruling annulled and keep their attorney fees. The scheme was uncovered after Paradis turned FBI informant. [Additional coverage in the Daily Journal]

Matriochka: The French government has published a report on Matriochka, a pro-Russian social media influence campaign that tried to discredit Western news media, public figures, and fact-checking organisations. Matriochka accounts impersonated their targets, aiming to discredit their trustworthiness while also spreading Russian interests. The campaign has been active since September of last year, and its main objective has been to propagate and amplify anti-Ukrainian narratives. French officials say disinformation posted on Twitter was initially posted on Russian Telegram channels, suggesting the content was initially set up for Russian-speaking audiences and then repurposed for Western audiences.

"VIGINUM believes that this campaign undermines the reputation of French mainstream media and official institutions. Since the start of the large-scale invasion of Ukraine in February 2022, the Russian influencing mechanism has regularly targeted fact-checkers and used extensive resources to discredit analysis from Western media outlets."