G-Men Gone Wild

PLUS: The Industrialisation of Business Email Compromise

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought to you by Thinkst.

Photo by Tobias Tullius on Unsplash

G-Men Gone Wild

Revelations that the FBI improperly used data collected for foreign intelligence under Section 702 of the Foreign Intelligence Surveillance Act (FISA) are fueling doubts about whether the authority will be renewed before it expires at the end of the year.

The news of the FBI searches is contained in a declassified court opinion released by the Director of National Intelligence. The opinion, issued in April of last year by the Foreign Intelligence Surveillance Court (FISC), describes the FBI as having a "pattern of broad, suspicionless queries that are not reasonably likely to retrieve foreign intelligence or evidence of crime".

Section 702 allows US intelligence agencies to compel service providers to help conduct targeted surveillance of foreigners outside the US and has been described by US officials as the "crown jewel" of US surveillance programs. The Section 702 amendment was motivated in part by terrorist use of US email service providers in the early 2000s.

The problem here, known as "incidental collection", is that foreign intelligence targets can and do talk to US citizens whose communications then get swept up into the 702 database. Of course, this is no different for foreign intelligence collection that takes place overseas. Regardless of the source, there is a whole set of procedures to make sure that the privacy of US citizens is protected as far as it is possible. (The hoops SIGINT people have to jump through to collect this information in the first place are pretty onerous.)

But 702 is nonetheless controversial because collection takes place on US soil. So the authority doesn't endure indefinitely and expires unless reauthorised by Congress. It was last renewed in 2018 and is set to expire at the end of this year.

The opinion describes how the FBI "frequently violated" the government's own criteria for when it was appropriate to query Section 702 data. These criteria are pretty sensible — a query can't be "overly broad", it has to be for a legitimate purpose, and there has to be a reasonable expectation that it will return foreign intelligence or, for the FBI, evidence of a crime.

The opinion then lists several examples where the FBI improperly queried the 702 database, including in relation to suspects in the January 6 Capitol riot, people arrested at protests after the killing of George Floyd, and 19,000 donors to a congressional candidate. The headlines this news has created are, well, not good.

These types of searches are described, with some justification, as "backdoor searches" because the government is able to search for a US person's communications without first providing a judge with "probable cause", a reason to believe a crime has been committed.

Being charitable, the FBI wasn't being malicious so much as overenthusiastic. In the examples cited the FBI had valid reasons to query its databases, but it either included the 702 database when it shouldn't have or queried 702 data too broadly.

For example, prior to early 2020 the FBI regularly queried 702 data for people connected to police homicide reports "including victims, next-of-kin, witnesses and suspects". In these cases there was absolutely no reason to believe that 702 data might hold anything of value, but it was queried anyway.

In other cases the FBI had good reason to query 702 data but did so far too broadly. When the FBI queried 19,000 donors to a congressional campaign it did so because the campaign was a target of foreign influence. But the Department of Justice's National Security Division found that only eight identifiers "had sufficient ties to foreign influence activities to comply with the querying standard".

If you squint and put on your FBI-tinted glasses you can sort of see what the FBI was thinking here. Section 702 data isn't collected in bulk, but is targeted at non-US persons outside the US whose communications are thought to hold foreign intelligence value. In other words, there is some reason the data is in there, and so perhaps there could have been some valuable overlap with whatever in particular the FBI was looking at at the time.

The FBI told the FISC that querying 702 data had just become "part of routine baseline checks". That's not the way the system is meant to work, however, and querying 702 data just because it is there is a no-no.

These errors all occurred prior to the FBI introducing new processes, and the FISC thinks the changes made by the FBI "should reduce the number of non-compliant queries". These changes include increased training and oversight, requiring case-specific justifications for queries, more approvals for batch queries, and also that queries of 702 data be opt-in rather than occurring by default. Analysts will now have to manually select that data rather than querying it without thinking.

These all seem like fine changes, and the annual intelligence community transparency report released this April provides some evidence that they've made a difference. Absolute numbers of queries are down, and the FISC is "encouraged" by the FBI's changes to its querying procedures. So is it all good then?

One reading of this is that it confirms that the government cannot be trusted with intrusive powers. The FBI's cavalier attitude hasn't been corrected for years and it is staggering that it has taken so long to make some of these changes. After all, FISA Section 702 has been around since 2008 and 15 years is a long time to only now be getting around to making queries opt-in.

But in this case it's not the US government writ large, it's just the FBI. It's tempting to do something drastic here like requiring the FBI to get warrants prior to 702 searches. After all, in the words of the FISC opinion, it has a "persistent and widespread" track record over years rather than just occasional lapses.

We think, however, that would be throwing the baby out with the bathwater. The FBI's use of Section 702 has been recklessly cavalier, but there are roles the FBI has that should have access to the foreign intelligence information that Section 702 provides.

Cyber security threats are one example. A letter from DNI Avril Haines and Attorney General Merrick Garland to Congressional leaders says, for example, that:

Section 702-acquired information has been used to identify multiple foreign ransomware attacks on US critical infrastructure. This intelligence positioned the US government to respond to and mitigate these events, and in some instances prevent significant attacks on US networks.

The letter also cites terrorist and counter espionage information that is relevant to FBI interests. This is where the debate about the reauthorisation of Section 702 should focus. Are the changes that the FBI has already implemented enough? These add more training, justification and oversight, but don't limit access within the FBI.

The FISC opinion itself suggests "substantially limiting" the number of FBI personnel with access may become necessary if the FBI's 702 querying problems are not fixed. We think this is a good idea. One idea is to limit access based on roles, another is to seriously beef up the paperwork involved, and introduce regular reviews of said paperwork.

We also think allowing the FBI to query the 702 data for "evidence of a crime" needs to be pulled back. Limiting crime-related queries to investigations into serious, transnational syndicates (think: cartels) seems sensible. But querying all the names of anyone who pops up in homicide investigations that cross all agents' desks? Wut? This is your standard operating procedure?

The FBI should mostly stick to using 702-collected data to investigate foreign interference, counter-espionage, cybersecurity and terrorism. 702 was never intended as a catch-all crime-fighting tool.

There's a silver lining to all of this. Intelligence officials are now bending over backwards to justify the Section 702 renewal. This is proof that sunset provisions in authorities like these are vital in bringing some measure of transparency to the table and, ultimately, improvements to processes.

Listen to Patrick Gray and Tom Uren discuss this edition of the newsletter in the Seriously Risky Business podcast:

Three Reasons to be Cheerful this Week:

  1. Charges over Pegasus, FinFisher spyware: Mexico's Attorney General has charged four former officials, including the former leaders of Mexico's Criminal Investigation Agency and Federal Ministerial Police, for Illegally acquiring Pegasus spyware. [More at Risky Biz News.] And prosecutors in Germany have filed charges against directors of the firm that made FinFisher spyware for selling the spyware in Turkey without appropriate approvals.
  2. Genesis Market takedown bites: Last month's takedown of the Genesis Market, one of the world's largest marketplaces for stolen credentials and compromised computers, is having a longer-term impact on criminal behaviour. Criminals are reluctant to move to Genesis's darknet site, fearing that it is controlled by the FBI and other competitor markets are only showing modest growth.
  3. Google launches Mobile Vulnerability Rewards Program: The Mobile VRP will reward researchers who find bugs in official Android applications such as Gmail, Chrome and Google Play Services.

This edition is brought to you by Thinkst Canary. Most companies find out way too late that they've been breached. Thinkst Canary changes this. Deployed and Loved on all seven continents. Thinkst Canary. Deploys in minutes; almost zero admin overhead. It just works!

Be sure to catch Tom Uren's interview with Thinkst's Haroon Meer:


The Industrialisation of Business Email Compromise

A new Microsoft report says business email compromise (BEC) is accelerating. We think this signals the "industrialisation" of BEC.

One trend Microsoft thinks is significant is attackers increasingly using platforms like BulletProftLink, a service that helps criminals to spin up large-scale BEC campaigns. We first noticed BulletProftLink back in September of 2021 when it was a large phishing-as-a-service operation, but it is still around and now also provides automated BEC services.

Criminals are combining this automation with residential IP proxy services to mask their locations and prevent the detection of compromised user accounts. Microsoft says threat actors in Asia and "an Eastern European nation" most frequently use the tactic.

Battling Crypto Scam Spam

Krebs on Security took a look at the back and forth that took place when a spammer attempted to spread crypto scams via Mastodon direct messages.

Fake Fingers

A bunch of researchers have developed a smartphone fingerprint brute forcing technique dubbed BrutePrint. With physical access at least some Android fingerprint locks can be cracked within minutes to hours. The iPhone 7 tested was not vulnerable.

Play Stupid Ransomware Games, Win Stupid Ransomware Prizes

A 28-year-old UK man has been convicted over his efforts to take advantage of a ransomware attack on his employer. The IT security analyst altered the original ransom email to change the payment cryptocurrency address to one he controlled and also sent emails pretending to be from the ransomware group.

Turla: This is Your Life

Wired has a short retrospective on the innovative operations carried out by Turla, which is one of the names of the FSB group behind the Snake malware disrupted by the US government earlier this month. Among the highlights, Turla once hijacked Iranian malware to deploy tooling and conduct its own operations.

Zoom's Chinese Censorship Conspirators

CyberScoop looked at Chinese government efforts to censor speech on the Zoom video conferencing platform, even when it was occurring outside the PRC.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at the concept of cyber “pinch points”, a place of vulnerability that can be targeted to bring an opponent to their knees. These points of vulnerability must surely exist but Tom and The Grugq wonder how easy they are to identify beforehand.

From Risky Biz News:

Almost 9 million Android phones sold pre-infected with malware: A cybercrime operation tracked as the Lemon Group has planted malware inside the firmware of almost nine million Android devices sold across the world over the past half-decade. The group's malware has been found in the OEM firmware images of multiple brands of low-cost Android smartphones.

Trend Micro, which has been tracking the group for years, says it was unable to discover how exactly this was done, but the company suspects the group may be working with insiders at various smartphone factories. [more at Risky Biz News]

Ransomware in Russia: FACCT (formerly Group-IB's Russian division) has a technical analysis on LokiLocker and DarkBit, two ransomware strains that have been spotted attacking Russian companies. Both LokiLocker and DarkBit have been previously linked to Iranian groups operating with state backing.

US Treasury sanctions North Korea's hacking school, two cyber units: The US Treasury has imposed sanctions on five North Korean entities, including a university where the government trains its cyber forces and two cyber units part of its intelligence apparatus.

Sanctions were levied against the Pyongyang University of Automation, which US officials say has trained many of the cyber units of the Reconnaissance General Bureau (RGB)—North Korea's primary intelligence bureau and main agency behind the country's cyber espionage and cyber thefts.

Officials also sanctioned two of the RGB's bureaus—the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center. [more on Risky Biz News]