Microsoft Makes Security The New Black
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Thinkst.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Microsoft has finally embraced security as a top priority. This is great news for customers as the move will turbocharge competition between firms over which of them is most secure.
Last week, Microsoft CEO Satya Nadella issued an all-hands memo making it clear that security was the company’s top priority. Nadella wrote:
If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritising security above other things we do, such as releasing new features or providing ongoing support for legacy systems.
Nadella also said part of senior leadership's compensation will be based on progress towards security milestones.
It doesn't get much clearer than that and we are convinced this shift is genuine
Microsoft also published a post last week from security head Charlie Bell that dives into concrete actions it plans to take.
In addition to spelling out three security principles and six pillars, Bell said the company would 'elevate' security governance and work to instil a security-first culture.
A new emphasis on security culture is rippling out across the industry as competitors seek to position themselves as leaders in the area. In mid-April for example, the CISO at Amazon Web Services (AWS) published a post on 'how the unique culture of security at AWS makes a difference". And Google's Office of the CISO featured in a Forbes article in early April.
And last week Amazon CEO Andy Jassy touted AWS's security as a positive in the context of the deployment of cloud AI services, saying "most companies care deeply about the privacy of the data in their AI applications and the reliability of their training and production apps".
There is a whiff of marketing in these efforts, but it is still a very good thing that companies are now competing on security rather than sweeping their failures under the carpet.
Last week we wrote "Microsoft's senior leadership are beginning to understand that good security underpins everything the company does… they are just afraid to say it out loud where it might spook investors". Is it too much to hope that companies will tout their security as an advantage in future earnings calls?
Ransomware Kingpin Outed and Left Friendless
Law enforcement authorities say they have unmasked the ringleader of the LockBit ransomware group, naming 'LockBitSupp' as Russian national Dmitry Yuryevich Khoroshev. The US, UK and Australian governments have levied financial sanctions against him.
This is the most significant coordinated action taken against a ransomware kingpin. It follows on from the February disruption of LockBit's infrastructure.
Official announcements from US and UK government agencies provide a lot of information about LockBit. The UK's National Crime Agency says it now has "deep insight into LockBit's operations and network".
Risky Business News has more coverage of these insights, including allegations that Khoroshev has personally earned more USD$100m from LockBit ransom payments.
Dmitry Yuryevich Khoroshev via the UK National Crime Agency
We get the strong sense that, in addition to standard criminal justice practices, the action is designed to throw Khoroshev to the wolves.
An indictment released by the US Department of Justice, for example, contains information that is likely to make Khoroshev's life difficult.
In information that may interest Russian law enforcement, the indictment says:
Although KHOROSHEV purported to prohibit LockBit affiliate Coconspirators from attacking victims located in Russia, KHOROSHEV and LockBit Coconspirators also deployed LockBit against multiple Russian victims.
Another section seems designed to ensure Khoroshev will not have friends in the Ransomware-as-a-service (RaaS) community:
Shortly after the February 2024 operation, KHOROSHEV, seeking to restore LockBit's primacy and to stifle his competition within the criminal RaaS space, communicated with law enforcement and offered his services in exchange for information regarding the identity of his RaaS competitors. Specifically, KHOROSHEV asked law enforcement during that exchange to, in sum and substance, "[g]ive me the names of my enemies."
If you don't think you'll get an arrest, the next best thing is to make a ringleader's life a misery.
Digging Deeper Into Change Healthcare's Failures
UnitedHealth Group CEO Andrew Witty testified to Congress last week about the disastrous ransomware attack on the company's Change Healthcare subsidiary.
This very significant attack had far-reaching impacts across the US health industry. These included disrupting billing and insurance payments and delivery of prescriptions.
In his testimony Witty said the ransomware actor used stolen credentials to gain access to a Citrix portal that did not have multi-factor authentication (MFA) enabled.
So at first glance, it simply seems that UnitedHealth was falling below an acceptable security baseline. But it's more complicated than that.
UnitedHealth acquired Change Healthcare about 18 months ago and its policy is to have MFA on external-facing systems. However, this wasn't implemented on the hacker's point of entry.
The ransomware's impact was also exacerbated by the presence of legacy systems, some of which were 40 years old.
In our view, this is the kind of complex high-impact event that likely has a multitude of contributing factors that the broader infosec (and business!) community would benefit from understanding.
In other words, what we need is a report that dives into the nuts and bolts of contributing factors, going deeper than a surface-level 'Citrix portal didn't have MFA' answer.
This reminds us of Conti's ransomware attack on the Irish national public health service (HSE). Although the initial entry point was phishing, a post-incident report laid the ultimate blame on deeper governance failures.
We don't think the Change Healthcare attack requires a Cyber Safety Review Board report, and the report into Conti's HSE attack was commissioned by the health service's own executive. Will UnitedHealth be brave enough to commission and publish its own independent report? We don't think so, but it would be an excellent idea.
Three Reasons to Be Cheerful This Week:
- Death to passwords: Microsoft has announced support for passkeys in consumer accounts and Google says over 400 million Google Accounts have used passkeys over the last year. Passkeys are a new standard that allow users to log into apps or websites without entering a password and using a cryptographic token instead.
- Fewer ransomware victims pay up: Blockchain analysis company Chainalysis reports ransomware victims are increasingly unlikely to pay up. It attributes this in part to enhanced cyber resilience among organisations. Unfortunately, Chainalysis finds that affiliates are increasingly using multiple ransomware strains and that launching attacks is easier than ever.
- Hack for hire arrest: Reuters reports an Israeli private investigator, Amit Forlit, was arrested in London over allegations he carried out a hacking campaign on behalf of an unnamed American public relations firm.
Sponsor Section
In this Risky Business News sponsored interview, Tom Uren talks to Thinkst CTO Marco Slaveiro about staying current with modern attack trends and not falling for the trap of optimising to catch red teams.
Shorts
Surprise! Transparent Blockchain Not Good For Money Laundering
Blockchain analysis company Elliptic has published an article describing research that uses a machine learning model to identify patterns or chains of transactions that represent bitcoin being laundered.
This approach doesn't rely on starting with previously identified illicit wallets and finds suspicious activity just by looking at transactions.
Elliptic describes blockchains as "fertile ground" for machine learning techniques because of their inherent transparency.
The research was co-authored with researchers from the MIT-IBM Watson AI Lab.
Russian Cyber-Kinetic Coordination About Seeing And Scaring
Ukrainian sources have speculated in recent weeks about Russian forces' rationale for combining kinetic and cyber operations.
In late April, Serhii Prokopenko, the head of operations at Ukraine's National Cyber Security Coordination Center, speculated to The Record that Russia used cyber operations in tandem with missile attacks on Ukrainian energy infrastructure to collect information about the damage caused by those strikes.
This isn't a new practice. In January, Ukraine's security service, the SBU, warned Russia was compromising webcams, possibly to target missile strikes and assess damage.
Last week, Ukraine's CERT (CERT-UA) published its report on Russian cyber operations in the second half of 2023 and discussed cyber-kinetic coordination.
It says Russia continues to use what it calls "hybrid attacks that combine cyber elements with missile strikes, aimed primarily at exacerbating the psychological impact on civilians".
CERT-UA thinks, "with high certainty", a disruptive cyber attack on the Ukrainian mobile operator Kyivstar was carried out in order to amplify the effect of missile strikes carried out before and after.
The US's Ambitious International Cyber Strategy
The US government released its International Cyberspace and Digital Policy Strategy this week and, while we applaud the ambition, we are concerned about whether sufficient resources are available to execute the strategy.
It recognises that technology will shape the way the world develops and there are adversary states trying to "shape the future of technology to the detriment of US interests and values".
The strategy espouses a "comprehensive policy approach" using diplomacy and international statecraft across the entire digital ecosystem. It says this includes:
…hardware, software, protocols, technical standards, providers, operators, users, and supply chains spanning telecommunication networks, undersea cables, cloud computing, data centres, and satellite network infrastructure, operational technologies, applications, web platforms, and consumer technologies as well as Internet of Things (IoT), artificial intelligence (AI) and other critical and emerging technologies.
The US isn't trying to go it alone and partners and allies feature heavily in the strategy.
Still, that's a lot of ground to cover.
Is China Pillaging UK Personal Data Holdings?
The UK government says a foreign 'malign actor' accessed a payroll system holding details of current and former armed services personnel, including bank details and some addresses. Unsourced media reporting suggests the PRC is responsible.
This is entirely plausible. In the mid-2010s Chinese actors went on a hacking spree in the US that sought out bulk data sets (including breaches at the US security clearance Office of Personnel Management, credit reporting agency Equifax, health insurance company Anthem, hotel chain Marriott and United Airlines). These data sets are complementary and were reportedly mined by the PRC to identify US spies operating in China.
A 2021 breach of the UK's Electoral Commission systems has been blamed by the UK's National Cyber Security Centre on a 'China state-affiliated actor'. Is the UK the target of the PRC's next data harvesting exercise?
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at how different types of secrecy obsessed organisations learn.
From Risky Biz News:
New router malware intercepts traffic to steal credentials: Reports on interesting and puzzling malware strains are quite rare in infosecland, where most of the time, you're bound to read about cryptominers, Mirai clones, and the same 5-6 malware loaders and infostealers over and over again.
This week, Lumen's Black Lotus Labs team published a report on a new malware strain named Cuttlefish that they found on both SOHO and enterprise-grade routers.
The interesting part about the report was that Cuttlefish appears to have been designed to work as a traffic interception system on the infected devices.
It scans network traffic and looks for text markers in URLs that reference passwords, keys, tokens, and other authentication-related items.
According to a list pulled by Black Lotus researchers from the malware's source code, Cuttlefish actively scans for 126 markers, with many referencing cloud services like Ali Cloud, AWS, Digital Ocean, CloudFlare, BitBucket, Ansible, and others.
Seeking authentication details for cloud-based resources could allow the attacker to move laterally across networks or even perform supply chain attacks from that infrastructure.
[more on Risky Business News]
Another Webex leak in Germany: The German Armed Forces (Bundeswehr) have misconfigured their Cisco Webex systems and leaked information on past and future meetings. Reporters from German newspaper Die Zeit found links to thousands of meetings on sensitive topics exposed on the internet. Meeting titles referenced sensitive and secret topics, such as Taurus missiles and battle tactics. The German government is also affected by the same issue with their Cisco Webex video conferencing software. Reporters say they easily found video conferences scheduled for Prime Minister Olaf Scholz and other ministers.
[Ed: The Grugq and I discussed a German webex leak about Taurus cruise missiles on this episode of the Between Two Nerds podcast in March (or here on Apple podcasts)]
Outcry over APT28 hacks: The German [PDF] and Czech governments, the European Union, and NATO have condemned Russia for a major hacking spree linked to the APT28 group. Officials say the group used a Microsoft Outlook zero-day to compromise email accounts throughout 2023. The campaign targeted governmental entities, critical infrastructure operators, and political parties across the EU. Most of the victims were located in Germany, Czechia, and Ukraine. Germany has summoned a top Russian envoy to answer for the hacks and called on Russia to "refrain from such behaviour"—like that will work. The government of Poland and the UK also issued their own statements on the incidents. Russian officials called the statements "unsubstantiated and unfounded" and designed to incite "anti-Russian sentiments in Germany." [Additional coverage in DW]