PRC: Not Stealthy, Just Annoying

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Panther.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Not only are cyber espionage groups likely based in China using living-off-the-land techniques to operate stealthily, they are adopting techniques that make post-discovery eviction more difficult.

Two separate campaigns reported in recent weeks illustrate the different techniques actors believed to be associated with the PRC are using. In one campaign, a group that had been operating slowly and discreetly switched to large-scale device exploitation and used various persistence mechanisms to 'dig in' once it was discovered.

In the second campaign, the actor concerned used compromised end-of-life devices in a botnet to relay command and control communications.

The first campaign appears to have kicked off in early December last year, and targets Ivanti Connect Secure VPN devices. Cyber security firm Volexity reported details of this campaign, including the two 0days used, on 10 January.

Volexity appears to have become aware of the campaign from its very beginning. The firm discovered suspicious activity on a customer's network and was able to trace it back to Ivanti's internet-facing VPN appliance.

Volexity was able to determine that two 0days (an authentication bypass and command injection vulnerability) were used in concert to compromise the device to get network access.

Hackers then used this access to deploy a webshell and keylogger, gather credentials and ultimately pivot into the internal network. Volexity wrote in its report that it "has reason to believe that UTA0178 (Ed: its name for the group responsible) is a Chinese nation-state-level threat actor", but did not expand on these reasons.

Mandiant also reported on the activity and described the group responsible as a "suspected espionage threat actor", but did not assign the activity to any particular state.

Both reports note that the group used compromised out-of-support Cyberoam VPN devices to proxy communications. Targeting end-of-life devices is also a feature of the second campaign we discuss.

Ivanti published a mitigation on the same day Volexity released its report. By the day of publication, Volexity and Ivanti had found only a single compromised organisation.

However, the day after publication, on 11 January, what Volexity describes as "widespread exploitation" kicked off. Much of this activity occurred quite quickly after publication and used essentially the same webshell as was deployed in the first hack Volexity detected, indicating the same actor was probably at work.

The company says that "appliances appear to have been indiscriminately targeted, with victims all over the world" and that by 14 January, 1,700 Connect Secure devices had been compromised. It appears other threat actors also attempted to exploit Connect Secure devices, but it is not clear whether their efforts were related to the initial group’s actions.

We have seen Chinese actors accelerate operations after they have been pinged before. In June last year, a PRC espionage group rapidly deployed different persistence mechanisms at scale after its campaign exploiting Barracuda Email Security Gateways was detected and publicised. This 'digging in' was so extensive that Barracuda could not guarantee the affected gateways could be made secure again and recommended they be fully replaced.

Another report, released last week by SecurityScorecard's STRIKE team, says that a botnet used by China's Volt Typhoon group now controls about 30% of all the visible Cisco RV320 and RV325 WAN routers across the internet.

Volt Typhoon is a genuinely worrying group because it appears to be "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises", according to a Microsoft report.

The hacked Cisco routers are incorporated into what Black Lotus Labs at Lumen Technologies calls the 'KV-botnet', a botnet made up of compromised small office/home office routers.

This botnet is made up of two 'clusters'. One cluster, called the "JDY cluster" by Black Lotus Labs, is used for target scanning. Targets identified by JDY are then passed to the "KV cluster", which "appears to be reserved for manual operations against higher value targets".

The JDY or scanning portion of the network is made up exclusively of Cisco RV320 and RV325 routers, whereas the composition of the KV portion varies and has over time included Cisco RV320s, DrayTek Vigor routers, NETGEAR ProSAFEs and Axis IP cameras.

Except for the Axis IP cameras, all these devices are end-of-life and manufacturers have absolved themself of responsibility for security patching.

Targeting end-of-life devices for these botnets just makes sense. Manufacturers have already washed their hands of responsibility, so are not likely to issue patches without some sort of public pressure. And how would an owner know if their device had been assimilated into a Chinese spy botnet anyway?

There have been several US government efforts to take down botnets used by foreign cyber espionage actors, notably Russian botnets such as VPNfilter, Cyclops Blink and Snake. However, these kinds of operations take a huge amount of time and effort and are also sometimes constrained in scope because of jurisdictional issues. We can't help wondering if prevention would be better than cure.

Targeting of EOL devices highlights deficiencies in patching obligations

One theme of the US cyber security strategy is shifting the costs of poor product security back on the companies that sold those products in the first place. We think it is time to look at how long companies should be required to provide software patches to mitigate security issues.

No doubt it is painful for companies to issue security updates and patches for old products. We can understand why companies would like to turn a blind eye and wash their hands of them. But who then becomes responsible for vulnerabilities in these products? And should it be up to governments to effectively subsidise these manufacturers by applying band aid solutions once they become a national security problem?

And a reminder that compromised devices aren't 'just' used to steal information — as mentioned earlier, there is deep concern that Volt Typhoon is preparing disruptive capabilities for use in a military conflict with the US.

FTC Geolocation Win Masks Shaky Legal Foundations

Last week the Federal Trade Commission (FTC) announced its first ever settlement with a data broker over the sale of sensitive location data.

That the FTC has pursued this action is great as the US needs far more rigorous data privacy standards. But the basis for the settlement is pretty thin and underscores the terrible state of American privacy law.

In its original complaint from 2022, (when the data broker concerned, Outlogic, was known as X-Mode), the commission said X-Mode sold "raw location data tied to unique persistent identifiers" and advertised that its location data "is 70% accurate within 20 meters or less".

Fine-grained geolocation data linked to a persistent identifier is, from a surveillance and intelligence perspective, wonderful! Combined with offline information available about people, this data is essentially all someone needs to figure out who people are and where they go (we covered a real-world example of use of this data involving a Catholic priest back in 2021).

The complaint continues:

X-Mode does not restrict the collection of location data from sensitive locations such as healthcare facilities, churches, and schools. X-Mode contractually restricts how its customers may use location data. For example, one such restriction is that its customers cannot:

use X-Mode Data (alone or combined with other data) to associate any user, device or individual with any venue that is related to healthcare, addiction, pregnancy or pregnancy termination, or sexual orientation, or to otherwise infer an interest or characteristic related to any of the foregoing;

So… X-Mode's made its customers pinky promise not to do anything bad. The FTC didn't think that was sufficient.

X-Mode mostly obtained location data through third-party apps that incorporated its Software Development Kit (SDK). The developers of these third-party apps were paid to facilitate X-Mode's data collection and its SDK was incorporated into over 300 apps including games, fitness trackers and religious apps.

Brandon Pugh, Cybersecurity Director at the R Street Institute, told Seriously Risky Business, that the FTC "is no stranger to taking action directed at data brokers" and "it's clear that the FTC hopes this will be a signal to data brokers".

He thought, however, that it would be better if Congress passed comprehensive federal data privacy and security laws.

"That would allow Congress to take the lead on privacy policy instead of a federal agency acting by way of ad hoc actions or expansive rulemaking", he said.

The strongest part of the FTC's complaint is that X-Mode did not properly tell mobile device users how their data would be used, did not honour consumer's privacy choices and did not get informed consent from users of these third-party apps. That's pretty cut and dried.

The logical response from other companies in this segment is to list how geolocation data is collected and used in the terms and conditions of apps that act as data sources. That would greatly reduce the sting of any possible FTC action. (This Wired article examines the Outlogic settlement and the ineffectiveness of terms and conditions in more detail).

The geolocation data of an entire nation just shouldn't be for sale. The FTC is trying to fix this problem, but it would be much better if its actions were supported by reasonable laws.

Three Reasons to Be Cheerful This Week:

1. More disruption operations on the way: A Department of Justice official has told attendees at an international cyber security conference that he expects more US government cyber threat disruption operations in 2024. That is the right approach and we look forward to hearing about them over the coming year.
2. Removing barriers for cyber hires: The US government is working to remove the requirement for four-year degrees for some federal cyber security contracting jobs.
3. Positive scorecard for US cyber diplomats: The US Government Accountability Office has reviewed the State Department's new Bureau of Cyberspace and Digital Policy and on the whole, given it a passing grade. NextGov has further coverage.

Sponsor Section

In this Risky Business News sponsor interview Tom Uren talks to Ken Westin, Field CISO at Panther about how the rise of cloud and hybrid IT architectures requires a new type of SIEM.

A short demo on how to use Panther's Detections-as-Code (DaC) platform for cryptominer investigations.

Shorts

Insurers Settle in Merck NotPetya Case

Pharmaceutical giant Merck reached a settlement with its insurance providers in a case over USD$1.4bn in claims stemming from the 2017 NotPetya attack. In this attack a Russian military intelligence unit launched a wiper attack on Ukrainian firms that propagated globally. Merck's insurers were trying to avoid making payments, claiming NotPetya fell under the insurance policy's war exclusions.

The settlement is not public, but it means that the previous appeals court opinion in favour of Merck still stands.

The Varying Impact of Takedowns

Threat intelligence firm Recorded Future compares three different takedowns in its recently released 2023 Adversary Infrastructure Report. Action against the Emotet and Qakbot botnets have been relatively effective, although in both cases the criminals behind the botnets appear to have moved on to other efforts such as propagating different types of malware. A takedown of unlicensed Cobalt Strike servers, by contrast, didn't have much impact at all. (Cobalt Strike is a legitimate security testing command and control tool that is popular amongst cyber criminals and state actors).

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the legacy of Stuxnet, how it was an 'inevitable gamechanger' and how much the Dutch government knew (or should have known) at the time.

From Risky Biz News:

eBay fined in 2019 harassment case: eBay has agreed to pay a $3 million fine to settle a DOJ lawsuit accusing the company of orchestrating a harassment and intimidation campaign. The company admitted that its security team harassed a US couple who ran a newsletter that negatively reviewed eBay products. eBay's former Senior Director of Safety and Security and six members of the company's security team posted negative comments on the newsletter's articles and a bunch of way way waaaaaaay more creepy stuff—see below.

The campaign included sending anonymous and disturbing deliveries to the victims' home, including a book on surviving the death of a spouse, a bloody pig mask, a fetal pig and a funeral wreath and live insects; sending private Twitter messages and public tweets criticizing the newsletter’s content and threatening to visit the victims in Natick; and traveling to Natick to surveil the victims and install a GPS tracking device on their car. The harassment also featured Craigslist posts inviting the public for sexual encounters at the victims' home.

Sandworm: Forescout has a deep dive [PDF] into the Sandworm attacks against Denmark's critical sector that were spotted last year by local authorities. The surprising main conclusion is below.

Evidence suggests that the two waves of attacks on Danish infrastructure reported by SektorCERT were unrelated. It also suggests that the second wave was simply part of a mass exploitation campaign against unpatched firewalls, not part of a targeted attack by Sandworm or another state-sponsored actor.

Cybercrime crew infects 172,000 smart TVs and set-top boxes: A cybercrime operation is believed to have infected at least 172,000 smart TVs and set-top boxes with malware that carries out DDoS attacks.

Named Bigpanzi, the group has been active since at least 2015 and appears to target Spanish and Portuguese-speaking users across Latin America.

According to Chinese security firm QiAnXin, Bigpanzi built its botnet through social-engineering tactics, such as spreading apps to view pirated content, apps to enhance TV viewing experiences, and backdoored firmware updates.

Once installed, the apps and firmware updates would ensnare infected devices into the Bigpanzi botnet and carry out attacks at the operator's behest.