China vs World: Cyber Security Reporting Duel
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by runZero.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Western cyber security agencies are co-authoring reports with an increasing number of overseas agencies into Chinese cyber activity. And China doesn't seem to like it.
The Australian Signals Directorate last week issued an advisory co-authored with German, Korean and Japanese intelligence, cyber security and law enforcement agencies, as well as the standard Five Eyes agencies that regularly contribute to advisories.
The advisory documented two successful compromises of Australian organisations and resulting investigations by the Australian Cyber Security Centre (ACSC).
The agencies attributed the compromises to APT40, a PRC-sponsored group that operates on behalf of the Ministry of State Security (MSS).
The report documents what it calls a 'notable' shift in tradecraft, away from using hacked websites for command and control to using compromised small office/home office devices to relay communications.
There is only a tiny amount of information in the report that could be ascribed to organisations other than ASD. The corralling of international agencies as authors is all about presenting a united front against Chinese cyber operations.
China, however, is pushing back by issuing its own reports on purported US activity or attempting to cast doubt on reports into its own behaviour.
Last week, for example, China's National Computer Virus Emergency Response Center (CVERC) attempted to cast doubt on reports about Volt Typhoon, a PRC-sponsored group suspected of compromising US critical infrastructure for potential disruption in the event of a military conflict. The CVERC report claims US intelligence agencies fabricated Volt Typhoon to gain increased budget from Congress.
In September last year the MSS accused the NSA of hacking Huawei and in 2022 Risky Business News covered "hilariously bad" reports claiming NSA hacking of a Chinese university. (To be clear, we don't doubt that the NSA is hacking PRC targets, but Chinese reports about this activity are woefully lacking in concrete information).
So, more robust reporting about Chinese cyber security operations may be causing an impact, at least in fuelling counter-reports. Regardless, establishing a united front with international partners about PRC-based threat actors is still a worthwhile endeavour.
US Outs Russian Government Social Media Manipulation
The US Department of Justice (DoJ) has spelt out the direct links between the Russian government and a social media bot farm spreading disinformation across the US and Europe.
The botnet operated on X (formerly Twitter) and promoted narratives favourable to the Russian government. The DoJ spelt out links to the Kremlin in a press release and associated affidavits released with the announcement of an operation to take down the botnet.
The DoJ-released documents spell out how the Kremlin, the FSB (Russia's Federal Security Service), and a deputy editor-in-chief of the state-run Russian media outlet RT (formerly Russia Today) were involved in the creation, direction and operation of the social media influence operation.
This Russian influence operation is not surprising, but it is interesting to see the US government devoting so much effort to the issue. The affidavit says an unspecified 'US agency' tipped off the FBI to the presence of the botnet.
And it is not just the US government. Along with the FBI and Cyber Command, Canadian and Dutch intelligence and cyber security agencies released a joint cyber security advisory describing the technology behind the social media bot farm, including how it used a custom AI system. How the botnet operates is described here on Risky Business News.
Gaping Security Holes In US Fedgov
Last week the Cybersecurity and Infrastructure Security Agency (CISA) published an excellent report covering an eight-month-long red team operation against a large unnamed US civilian federal government agency. The report is a detailed real world case study of how common network misconfigurations can be exploited to own an agency network and even pivot into an external organisation.
CISA calls this a 'SILENTSHIELD' red team assessment comprising a "no-notice, long-term simulation of nation-state cyber operations":
The team mimics the techniques, tradecraft, and behaviours of sophisticated threat actors and measures the potential dwell time actors have on a network, providing a realistic assessment of the organisation’s security posture.
In other words, these are 'gloves off' security assessments that don't have the limited scope and short time frames that often neuter red team engagements.
The engagement comprised an 'adversary emulation phase', where CISA gained unrestricted privileged access to the unnamed agency's network, and a three month 'collaboration phase' where it helped improve the organisation's cyber security capabilities.
CISA gained initial access by taking advantage of an unpatched remote code execution vulnerability in a web server. The report notes that CISA informed the target agency of the unpatched device, but the agency took over two weeks to rectify and did not thoroughly investigate the affected servers.
This was a missed opportunity according to CISA, as the impacted agency would have discovered Indicators of Compromise (IOCs) that should have led to full incident response.
CISA leveraged initial access into full compromise of the agency's Solaris enclave. This included access to sensitive systems including web applications and databases.
To access the agency's Windows environment, CISA created a target list of employees whose jobs involved public interaction with open source research and successfully phished one of them.
Once on the Windows network CISA "found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts." One of these accounts had domain administrator privileges for the parent domain and another had administrative permissions for most servers in the domain. Passwords for these accounts had not been updated in over eight years.
While in the target organisation CISA was able to take advantage of relationships with trusted partners to pivot into another civilian federal government agency. The report notes:
These cross-organisational attack paths are rarely identified or tested in regular assessments or audits due to network ownership, legal agreements, and/or vendor opacity. However, they remain a valuable access vector for advanced persistent threat (APT) actors.
The 'lessons learned' section of the report is excellent because it covers the gamut from technical to organisational shortcomings. At the technical level, it points out that the agency had 'insufficient controls to detect malicious activity' and 'ineffective logging, collection and analysis'.
CISA says the agency's 'hyper-focus' on detecting malicious activity using 'known-bad' IOCs hampered defenders' efforts against threat actors using new and different TTPs. The report says the target agency was "accustomed to catching internal red teams that used specific TTPs; introducing a new 'threat actor' with new TTPs sidestepped nearly all detections."
The report notes that decentralised teams with bureaucratic communication hindered defence. There were too many teams working in an uncoordinated way, meaning it was very difficult to build a comprehensive picture of possible threat activity.
In our view, this report is a companion piece to an advisory CISA and NSA released last year that warned about common cyber security misconfigurations the agencies' red and blue teams find in large organisations. That advisory warned that misconfigurations are common, going so far as to describe "a trend of systemic weakness in many large organisations, including those with mature cyber postures". This report illustrates how these misconfigurations can be exploited in a real network. That makes it relevant to many organisations.
CSE Sheds Some Light on Ransomware Disruption
The Communications Security Establishment Canada (CSE), the country's equivalent of the NSA, has revealed it last year disrupted an ongoing foreign ransomware attack on Canadian critical infrastructure.
The operation was revealed in CSE's latest annual report, released late last month. The report says:
While the Cyber Centre [Canada's equivalent of the UK NCSC or US CISA] worked to mitigate the compromise within Canada, CSE's foreign cyber operations team took action in cyberspace. The DCO interfered with the cybercriminals' foreign servers, reducing the effectiveness and profitability of their activities. Most importantly, CSE's actions reduced the impact of the incident on the victims.
CSE categorises this as a Defensive Cyber Operation, used to protect systems during major cyber incidents "when cyber security measures alone are not enough".
CSE also proactively disrupts foreign-based threats in what it calls Active Cyber Operations (ACOs). The annual reports says:
CSE also continued its ongoing ACO campaign to disrupt the activities of foreign ransomware groups. Working with Five Eyes partners, CSE used ACO to undermine the activities of foreign ransomware groups and to degrade the online tools they use. These ongoing operations make it harder for cybercriminals to launch ransomware attacks against Canadian organisations and to profit from the theft of Canadian data. CSE prioritises its operations based on the Cyber Centre’s assessments of which ransomware groups pose the greatest threat to Canada.
Cyber operations agencies can be notoriously secretive, so it is nice to get a little vignette about events in the counter-ransomware space.
Three Reasons to Be Cheerful This Week:
- Passkeys make Google's Advanced Protection Program easier: The APP, Google's highest level of account protection, has traditionally required two hardware security keys (in case one is lost or broken). Getting these keys has been difficult for some users, such as "a journalist covering a war zone, a travelling campaign worker, or a business leader taking a last-minute trip", Google says. But now people can mix and match passkeys with hardware security keys (enrolling with two passkeys, for example, or using one passkey and one physical device).
- Better, faster Windows updates: Microsoft has announced that Windows 11 will get 'checkpoint cumulative updates' that will involve "smaller, faster and more sustainable updates". This will push out feature and security updates via smaller incremental updates that contain only the changes from the previous checkpoint.
- Chinese telcos kicked from German networks: Critical components from Huawei and ZTE will be barred from German 5G core networks by the end of 2026, Interior Minister Nancy Faeser announced last week.
Sponsor Section
In this Risky Business News sponsored interview, Tom Uren talks to Rob King, Director of Security Research at runZero, about keeping up with the stream of vulnerabilities in the KEV list and OT devices and runZero's research into the SSH protocol.
Shorts
CDK Breach Not Material, Except For Customers
CyberScoop examines how recent new US Securities and Exchange Commission (SEC) disclosure rules have been interpreted in the recent ransomware attack on automotive software-as-a-service company CDK Global.
While several of CDK Global's customers issued SEC filings indicating the incident had caused short term impacts and might be material in the longer term, CDK Global's parent firm, Brookfield Business Partners, has not filed with the SEC.
In a press release parent firm Brookfield said "we do not expect this incident to have a material impact". It appears that CDK Global may have paid a USD$25m ransom, but this still seems fair enough given that Brookfield booked USD$96bn in revenue in 2023.
The SEC has actually issued guidance about what to do here and it essentially boils down to 'just use the right form'. If you've determined that an incident is material, disclose it under Item 1.05 of Form 8-K, 'Material Cybersecurity Incidents'.
If the incident is immaterial, or if you haven't yet determined whether it is material, use Item 8.01 of Form 8-K, 'Other events'.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss Shashank Joshi’s notes from a recent Oxford Cyber forum. Topics include the role of 0days and who is ahead when it comes to offensive cyber operations.
From Risky Biz News:
Ransomware attacks increase hospital mortality rates:
A whitepaper published last year by academics from the University of Minnesota's medical school has looked at the aftermath of ransomware attacks on US hospitals and found evidence to suggest that mortality rates typically increase by around 20%.
The study looked at hospital admissions before, during, and after a ransomware attack, at the hospital's profits, and reported patient deaths.
Researchers said the most affected category were patients who were already hospitalized at the time of the ransomware attack, compared to patients who were admitted after, where hospital staff could adjust procedures to take into account for unavailable IT systems.
[more on Risky Business News]
Squarespace DNS hijack spree hits crypto sites, everyone else watch out! At least four cryptocurrency platforms hosting their domains on Squarespace have been hit by DNS hijacks over the past week.
The Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains reported losing control over their official websites on Thursday and Friday last week.
The hijackers pointed the domains to malicious servers hosting wallet-draining phishing kits.
According to a report [PDF] published by a team of security researchers from Paradigm and Metamask, the affected domains were previously hosted on Google's now-defunct domain business.
Squarespace acquired Google Domains earlier in June 2023 and moved all Google customers to its infrastructure in June this year.
The research team says domains migrated from Google Domains to Squarespace had their MFA disabled as a technical measure to prevent admins from being locked out of their accounts after the migration.
[more on Risky Business News]
Apple warns iPhone users of new spyware attacks: Apple has sent this week a new batch of notifications about possible infections with mercenary spyware to iPhone users across 98 countries.
This was the company's second wave of notifications it sent this year after a first round back in April.
[more on Risky Business News]
A ransomware attack is putting lives at risk across South Africa: For the past two weeks, a ransomware attack has been wreaking havoc among healthcare services and putting lives at risk across South Africa.
The incident took place on June 22 and hit the National Health Laboratory Service (NHLS), a South African government organisation that does lab work for the country's hospitals.
The attack and subsequent IT outage crippled 265 NHLS laboratories and their ability to process blood work. According to a report from the Cape Independent, the labs are behind on over 6.3 million blood tests. The lack of proper blood work is delaying accurate diagnostics and has postponed operations, putting countless patient lives at risk.
A haematologist from Johannesburg described the situation as "dire," with patients in emergency wards and intensive care units around the country being in "fatal danger."
[more on Risky Business News]
