Norms? What Norms? Honeypots, Harassment On the Up
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by GreyNoise.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Multiple recent incidents show state actors violating what Five Eyes countries consider to be acceptable norms of online behaviour.
Politico reports politicians, officials and journalists working in the UK parliament were subjected to honeypot-style phishing campaigns. Politico's investigation identified six men who were targeted with unsolicited WhatsApp messages.
Many of the messages contain striking similarities, including personalised references to the victims' appearances at U.K. political events and drinking spots. In several cases explicit photos were also sent — and in at least one case, the victim reciprocated.
And further on in the article:
… the sender or senders of the messages often displays extensive knowledge of their target and their movements within the narrow world of Westminster politics.
British police are also investigating another incident that appears to be part of the same campaign, but was not covered in Politico's report.
Any one of these incidents on their own probably falls into the 'acceptable espionage' bucket, but it is the scale and brazenness of the activity that makes it problematic for Western policymakers.
This campaign hasn't been linked to any particular state actor.
However, countries including China are known to be pushing boundaries when it comes to cyber-enabled interference with domestic politics.
A Microsoft report released last week reported that a Chinese Communist Party-linked online influence actor was targeting US domestic politics. The actor’s activities included creating "AI-generated memes targeting the United States that amplified controversial domestic issues and criticised the current administration".
Although the actor, which Microsoft refers to as Storm-1376 but is also known as 'Spamouflage' or 'Dragonbridge' is experimenting with AI, the report states that AI-generated media has not had much impact.
Storm-1376's campaigns have covered a range of topics, including: claiming a US 'weather weapon' started wildfires in Hawaii; amplifying outrage over Japan's disposal of nuclear wastewater; and advancing conspiracy theories over a November 2023 train derailment in Kentucky.
Although these kinds of online influence operations have not proved to be effective, the direct attempt to affect domestic politics must be galling for US policymakers.
What can be done here? Late last month we wrote that part of the US and UK government's motivation in sanctioning Chinese hackers was to call out transgressions.
Ultimately, we think it unlikely that the Chinese government can be entirely deterred from carrying out operations that we think transgress norms. It's never happened before despite various US and allied efforts stretching back nearly a decade, although we think
Despite that, efforts at exposing operations are tremendously valuable, because they at least spell out loud and clear where Western governments think the line that should not be crossed is.
As an aside, we'd love them to try honeypots against the French. Lol.
Politicians Invoke the Big Tech Bogeyman in Privacy Reform Push
New draft bipartisan legislation presents the best opportunity to date for federal privacy reform in the United States.
There is a lot to like here, including a consumer right to access, correct and delete data collected about them; an opt-out for targeted advertising; and also a requirement for companies to minimise the data they collect to what is necessary and proportionate for a range of permitted purposes.
In our view, however, the focus on 'Big Tech' in the rhetoric surrounding the bill is not quite right. Per the press release announcing the legislation:
This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviours for profit without their knowledge and consent.
Rather than arising directly from how Big Tech handles data, however, we think most of the US's data ecosystem risks arise from the more or less unrestrained collection, trading and sale of sensitive data outside of Big Tech.
We don't believe adversary intelligence services are buying data about Americans from Google, Meta or Amazon, for example, but we expect it is being bought from one or more of the US's numerous data brokers.
The US's data ecosystem has evolved over the last 20 years, so even if it passes this bill won't be an instant panacea. But the US needs some progress on federal legislation to start fixing the mess.
This D-Link Thing Shouldn't Happen Ever Again
In late March a security researcher known as Netsecfish discovered two security vulnerabilities in end-of-life D-Link NAS (network attached storage) devices. They claimed they affected over 92,000 internet accessible devices, although the true number is more likely to be around 5,000.
So far, so normal. But where this gets interesting is D-Link has washed its hands of the devices, that they're 'end of life' and that they will "no longer receive device software updates and security patches". The vendor recommends users 'retire and replace' the devices.
So... bin them. Great response!
One of the vulnerabilities is a hardcoded backdoor account—user 'messagebus' with a null password—and the second is a command injection vulnerability. These can be combined into a single line GET request to run arbitrary commands on the devices.
D-Link told Bleeping Computer that the affected devices could not be automatically updated and didn't have customer outreach features that could deliver messages or notifications.
The advisory says the devices can run third party open-firmware, but D-Link doesn't support users doing this. We think it'd be nice if its advisory actually listed the firmware so customers could go and get it, but maybe we're asking for too much.
At one level, the end-of-decision seems fair enough. The devices are old, weren't particularly expensive at USD$300 or less, and newer devices would be better and more secure.
However, it's still a bit rich for a company to shed itself of responsibility for something like a hard-coded credential. These devices will very likely be exploited to cause harm across the internet.
This newsletter has previously covered the KV-botnet, a botnet used by PRC-linked espionage groups that appears to be used in building capability to disrupt US critical infrastructure. Most of the devices that comprised the KV-botnet were end-of-life, and it makes sense for administrators to focus on devices from which vendors have absolved themselves of responsibility and are unlikely to patch.
In the case of the KV-botnet the US government, with assistance from international and private sector organisations, carried out a court-authorised disruption operation. These operations aren't cheap, however, so a vendor's inability or unwillingness to address these types of security problems effectively pushes costs onto the public purse.
Another security incident this week reportedly affects 91,000 LG smart televisions that are not end of life. Security firm Bitdefender says four TV models are all susceptible to four different vulnerabilities.
In contrast to D-Link's NAS devices, LG has the ability to push out updated firmware which should be automatically installed on its affected devices. That's a great position to be in, but then for policymakers the question becomes how long LG will provide these security updates. Until it retires these models? Until it gets sick of providing support? Or until a relatively small number of devices remain online?
Given that the justification for requiring that vendors issue security patches is the public interest, it makes sense that the obligation be based on how much harm could occur. In other words, vendors should be required to patch when there are still tons of devices online.
An ounce of vendor prevention is better than pounds of government cure, so placing security obligations on vendors makes sense.
Three Reasons to Be Cheerful This Week:
- Tackling Microsoft Office's government monopoly: US Senator Ron Wyden has released draft legislation that would require software used by the government to be interoperable to prevent vendor lock-in. Seriously Risky Business addressed this issue recently and it's fair to say it is complicated. So some high-level focus on it is welcome.
- Ivanti's commitment to security: Ivanti's CEO has published an open letter regarding the vendor’s ‘commitment to security'. Ivanti products have been the target of several state and financially-motivated campaigns in recent years. It's very early days, but this letter is a good example of a security initiative that sounds promising because it is CEO-backed, board supported, and includes explicit lines of effort.
- LockBit disruption looks successful: A Trend Micro report released last week says that the law enforcement operation against ransomware group LockBit has had a "significant impact" on the group. There was almost no LockBit activity after this disruption, despite the group’s claims. The report also hints at the size of these groups, and identifies 193 affiliate accounts. Adam and Patrick discussed the effects of ransomware disruption on the Risky Business podcast yesterday.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with GreyNoise founder Andrew Morris about last year's vulnerability exploitation trends, how the company's AI system works, and Catalin makes a fool of himself because he can't pronounce 'abnormalities.'
Shorts
The Evolution of Ukraine's IT Army
The Record's Ukraine correspondent, Daryna Antoniuk, has an interesting article looking at the evolution of Ukraine's IT Army, the volunteer hacktivist outfit that supports the Ukrainian cause.
Antoniuk describes the IT Army increasing its organisation, sophistication and capability over time. To us, it looks like the Ukrainian government is increasingly collaborating with hacktivist cyber operations, but 'Ted', an IT Army spokesperson, told Antoniuk that there were only unofficial links.
Ted also said that the IT Army aims to be an annoyance and knows that it won't win the war. "For most people, working in the IT Army is compensation for the guilt of not being on the front lines", he said.
HR Is Not Ransomware's Friend
TechCrunch has an entertaining account of a phone call in which a data theft hacker trying to extort a company applies pressure by calling its public telephone line. The hacker gets put through to HR and both parties end up talking at cross purposes.
Kaspersky Ban Incoming
The US government is reportedly said to be preparing to ban software made by Russian cyber security firm Kaspersky from being used by US citizens and companies. Makes sense to us.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the human side of the XZ Utils supply chain attack.
From Risky Biz News:
Ukraine wants Sandworm hackers tried at The Hague: The Ukrainian government is gathering evidence and intends to file a war crimes case against Russian military hackers at the International Criminal Court in The Hague.
The case will center around the December 2023 cyberattack against Kyivstar, Ukraine's largest mobile operator.
Russia hackers breached the company in May of last year, gathered data, and then wiped thousands of servers on December 12.
The attack disrupted mobile services for the Ukrainian population for days as the operator raced to rebuild affected systems.
In light of the incident's destruction and broad impact on its civilian population, Ukrainian officials hope to have the cyberattack labeled as a war crime.
[more on Risky Business News, including more on Ukraine's justification and possible hurdles Ukraine's efforts could face.]
Multi-party approval comes to Google Workspace: Google has added a new feature for its Workspace enterprise platform that will require multiple administrators to approve changes to an organisation's sensitive settings.
The new Multi-Party Approval feature will roll out in the next two weeks and will be available to any Google Workspace customer with two or more super admin accounts.
Once enabled, all super admins will be required to approve changes made to sensitive Workspace environments, such as changing MFA settings, account recovery steps, and login and session controls.
The feature is intended to counter admin account hacks. In the past, threat actors would often compromise an admin account and then silently make changes to an organisation's sensitive Workspace settings without the rest of the admin team noticing.
[more on Risky Business News]
Ukraine suspends SBU cyber chief: Ukraine has suspended Illia Vitiuk, the head of the SBU's cyber division. Officials say they've reassigned Vitiuk to a unit on the front while they investigate claims of corruption. Journalists from local news outlet Slidstvo claimed that Vitiuk and his wife recently bought expensive real estate despite not having the financial means to do so. Slidstvo reporters also claim they were harassed by SBU staff after publishing their article.
