Microsoft’s Dull Bulb Fails to Illuminate

PLUS Chinese APT side hustle: stealing Covid money

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

A dark dimly lit forest inside a lightbulb, Midjourney

Microsoft continues to position itself as a bulwark against digital authoritarianism, but keeps pushing its rhetoric beyond the available evidence. This is consequential stuff, and we're disappointed that Microsoft seems more interested in hyping threats as opposed to seeking to help people understand them.

A few recent examples:

On Saturday, Microsoft released an article on "Preparing for a Russian cyber offensive against Ukraine this winter". In this article, Microsoft promotes the view that Russia is launching coordinated cyber and conventional attacks:

The repeated temporal, sectoral and geographic association of these cyberattacks by Russian military intelligence with corresponding military kinetic attacks indicate a shared set of operational priorities and provides strong circumstantial evidence that the efforts are coordinated, as reflected in the timelines below.

What circumstantial evidence? Correlation doesn't prove coordination. Having shared operational priorities between cyber and conventional forces is not the same as truly coordinated action. To us, it seems more like Russian desperation — let's throw everything we have at critical infrastructure, and if the missiles don't get through, maybe the cybers will. We've complained about Microsoft's embiggening of Russian cyber operations before and we don't see any new evidence that tells us that real coordination is occurring here.

In another example, Microsoft's 2022 Digital Defense report claims China's vulnerability reporting regulation could be used to funnel vulnerabilities to state intelligence agencies. It went so far as to state:

China’s vulnerability reporting regulation went into effect September 2021, marking a first in the world for a government to require the reporting of vulnerabilities into a government authority for review prior to the vulnerability being shared with the product or service owner. This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them.

The regulation actually states that individuals "are encouraged" to report vulnerabilities to both vendors and to the government (Article 6). It's only vendors that have the responsibility to report to the government within two days (Article 7.2). So Microsoft has the flow of information… backwards? The report continues:

The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority.

The report then cites a number of widely-exploited vulnerabilities where we don't think the regulation would apply. SolarWinds, Zoho, Microsoft, and Confluence are not Chinese vendors.

We acknowledge it's possible, even likely, that the Chinese state wants to harvest 0days from its security community for use in cyber espionage. But the law itself, as written, doesn't force security researchers to do that.

Weaponising an entire country's security community and how cyber capabilities are actually being used in modern warfare are important, weighty, significant issues that decision-makers need to clearly understand. Ironically, Microsoft's reports would probably run afoul of the Chinese regulation, which prohibits "malicious sensationalism". Lol.

DHS: It's the Kids Who Are Wrong

The US Department of Homeland Security announced that the second report of the Cyber Safety Review Board (CSRB) will focus on the activities of Lapsus$.

We are fans of the CSRB and are glad to see that DHS has not waited for another Log4Shell-size disaster before kicking off another review. Lapsus$ is an interesting choice.

Not everyone approves, and there is an argument against selecting Lapsus$'s activities for deep examination. There are already good reports on its techniques and practices and several of its members have already been arrested, for example. Politico has a more in-depth examination of the pros and cons of this decision here.

We're all for it. The group, a gang of teenagers who are apparently into data extortion for the fun of it, has compromised a whole host of high-profile companies including Microsoft, Uber, Nvidia, Rockstar Games, and Samsung. Even though Lapsus$ has not been found to be using particularly sophisticated techniques, the breadth of its compromises tells us that it exploited weaknesses common across a variety of companies and sectors.

We also think the role of the CSRB is different from typical post-breach incident reporting. Rather than understanding and remediating an isolated case, the CSRB can pore over multiple incidents to identify root causes. And although there is some good reporting on the group's activities, there's nothing that brings together the facts from a wider set of Lapsus$ compromises.

Adam Shostack, co-author of a guide on "How to Stand Up a Major Cyber Incidents Board", told Seriously Risky Business that he hopes this report will deliver an authoritative analysis of the group.

"One of the great things about NTSB reports is they start with clear, factual history before the analysis," he said. "Give us that quality of reporting on a real Lapsus$ incident, start to finish."

Shostack's comments pick up on our observations of the CSRB's first report into the Log4J incident. The report was excellent but the problems with supply-chain security are so pervasive that when we examined the CSRB's debt effort we wrote:

A majority of the Board's recommendations are focussed on broader issues such as "best practice for security hygiene", "build a better software ecosystem", and "investments in the future". This is pleasing as it addresses root causes — exactly what this newsletter wanted — but also sobering, in that the recommendations are so wide-ranging that even if they are immediately (and voluntarily) implemented by stakeholders they will take many years to bear fruit.

Lapsus$'s techniques are already being picked up by other groups (see the Risky Biz News report on Scattered Spider), so we are optimistic that focussing on the group will provide some actionable short-term recommendations that everyone can benefit from. An investigation into the SolarWinds attack — or another similarly rare and sophisticated attack — wouldn't deliver the same benefit. Bring it on.

APT41's Side Hustle: Stealing Covid Relief Money

The US Secret Service believes the Chinese-backed group APT41 stole at least USD$20m in US Covid relief benefits across multiple states. This theft achieves nothing for the PRC except to needlessly antagonise US policymakers.

In the context of US covid relief fraud, USD$20m barely rates a mention. The US Secret Service, which in addition to its well-known VIP protection role also has a financial crime investigation mission, estimates that criminals stole nearly USD$100bn in pandemic relief funds.

The Secret Service says APT41's operation involved more than 40,000 transactions and 2,000 accounts in more than a dozen states. The agency was able to recover half of the funds stolen by APT41.

But despite the minuscule monetary impact for both the PRC and the US, we think this incident will annoy politicians and policymakers, who no doubt consider China at least partially responsible for the pandemic in the first place and have been antagonised by Chinese officials promoting the theory that the US was the source of Covid-19. A government-linked group stealing covid relief money may be seen as adding insult to injury.

"I’ve never seen them target government money before," John Hultquist, VP of Threat Intelligence at cyber security firm Mandiant told NBC. "That would be an escalation."

It's unlikely that this activity is state-directed. Mandiant's 2019 deep-dive into APT41 found that its earliest activity targeted the video game industry for financial gain in 2012. It later branched out into cyber espionage operations but never gave up its criminal enterprise, balancing the two activities since 2014.

Mandiant thinks "the group's cyber crime activities are most likely motivated by personal financial gain or hobbyist interests". Beyond consistent targeting of the video game industry, APT41's criminal activities have included targeting cryptocurrencies and even the attempted deployment of ransomware.

Adam Segal, director of the Digital and Cyberspace Policy program at the Council on Foreign Relations told Seriously Risky Business he agreed this theft would annoy policymakers and the administration.

Despite that, he doesn't think we'll see much of a response from the US government. However, he says the US government is "calling out more criminal elements of Chinese hacking recently" and he thinks we may eventually see the hackers behind this theft named in criminal indictments.

Segal doesn't think APT41's Covid-related thefts were state-directed, and it's also unlikely the US government will think of this as a Chinese government action.

Segal describes the whole thing as a "weird story". The PRC has nothing to gain, and it's an unnecessary irritant in a tense US-China relationship.

We think this is a great example of the downsides of outsourcing hacking operations to loosely-controlled groups.

Three Reasons to be Cheerful this Week:

  1. Managed Service Providers (MSPs) are critical infrastructure: The UK government announced last week that it will boost security standards and increase cyber incident reporting requirements for critical services and now also MSPs. The announcement states "MSPs, which are key to the functioning of essential services that keep the UK economy running, will be brought into scope of the regulations to keep digital supply chains secure".
  2. EU funds Cyber Lab in Ukraine: The EU has provided equipment for a cyber lab to the Ukrainian Armed Forces to help build and develop their cybersecurity capacity. The lab will provide training in detecting and dealing with cyberattacks and strengthening overall cybersecurity capabilities using real-time simulations.
  3. KmsdBot authors crashed their own botnet: Akamai researchers investigating KmsdBot, a cryptomining botnet, noticed that the operators sent an incorrectly formatted command that crashed the whole network.

Seriously Risky Business is supported by the Hewlett Foundation's Cyber Initiative and corporate sponsor Proofpoint.

Okta and Passwordless Authentication

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Brett Winterford and Harish Chakravarthy demonstrate to host Patrick Grey how Okta can be used for passwordless authentication. These phishing resistant authentication flows — even if they are not rolled out to all users — can also be used as a high-quality signal of phishing attempts that can be used to trigger automated follow-on actions.


Bell Battles the Old Guard at Microsoft

Over a year ago when former AWS executive Charlie Bell joined Microsoft we doubted he'd get the support from Microsoft CEO Satya Nadella he needed to drive the security change we think Microsoft needs. Unfortunately, a profile of Charlie Bell's progress in The Information indicates that we were right. According to the profile, "managers who were part of Microsoft’s old guard have pushed back on Bell’s suggestions for improving their responsiveness to security vulnerabilities, believing he was setting too high a bar for stopping attacks on its products".

Well, sorry, but the bar needs to be raised. Although Bell appears to be fighting the good fight, without Nadella truly making security a priority we fear he'll only be able to deliver new security products and services. Not actual security.

Google Outs Spanish Spyware Vendor

Google's Threat Analysis Group last week published details about an exploitation framework called Heliconia that is likely connected to Barcelona-based Variston IT, a company that provides "custom security solutions". The Heliconia framework exploited vulnerabilities in Chrome, Firefox, and Microsoft Defender and "provides all the tools necessary to deploy a payload to a target device", TAG writes. These vulnerabilities are fixed now, but although it doesn't have proof TAG expects that they were used in the wild before it became aware of them.

TAG learnt of Heliconia because Google received an anonymous tip to its Chrome bug reporting program containing details of three bugs, including source code. Ironically, the clues linking the bugs to Variston IT were provided by a cleaning script that was intended to ensure that binaries produced by the framework did not include sensitive strings such as "Variston".

TAG notes that "the commercial surveillance industry is thriving and has expanded significantly in recent years", so we expect we'll see more reports like this in future.

Dark Markets are Small and Highly Concentrated

Researchers have found that vendors on 30 darknet markets took USD$140m in revenue over eight months and that activity was highly concentrated. Almost all of that revenue occurred across just three markets. In the time period examined Agartha took USD$91m in revenue, Cartel USD$31m, and DeepMart USD$9m. Dark markets are regularly disrupted, so rankings by revenue could well drive law enforcement priorities. More coverage at The Conversation.

UK Digital Forensics Failure a Vignette

A UK government report into how well its police forces use digital forensics is damning. To uncharitably paraphrase, it found the capacity for digital forensics was overwhelmed, agencies didn't understand why that was a problem, and there was no plan to increase capacity to match increasing demand.

This shortfall in digital forensics capability reminds us of the difficulties at least some law enforcement bodies have faced developing capacity to tackle cybercrime. The digitisation of many aspects of society has been transformative, but it has been difficult for police forces worldwide to keep up. Unfortunately though, this doesn't look like a problem that is unique to the UK.

The Record has good coverage of the report including its findings, the impact on victims and recommended actions.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss reader feedback about whether the Five Eyes engage in economic espionage and look at allegations that Australia spied on the East Timorese government to get an edge in negotiations regarding exploitation of an oil and gas field. In various hypothetical scenarios we examine the ethics of the situation and what would have to change for that spying to be morally justified.

From Risky Biz News:

Samsung, MediaTek, and other Android platform certs were leaked and used to sign malware: Platform certificates from major Android vendors and software makers have leaked and were used to sign malware, the Android Security Team discovered last month.

Platform certificates are digital certificates used by Android OEMs and ODMs to sign versions of the Android OS they deploy on their devices, their firmware, and official vendor apps they might ship to consumers. Because of the crucial role they play, any Android app signed by a platform cert usually gets the highest level of trust and access to an Android device. (more on Risky Biz News)

Anker Eufy camera vulnerability: Security researchers have discovered that you can bypass authentication and encryption on Anker Eufy internet-connected cameras and access other people's live feeds just by connecting to an IP address from Anker's cloud using the VLC media player. When confronted by reporters about the issue, Anker denied that was possible but silently started making changes to its backend to address the issue. [Coverage of the whole disaster is available in The Verge]

Mercury IT ransomware incident: The New Zealand government said that a ransomware attack on Mercury IT, a major local MSP, has impacted the services of several private and public institutions. The attack took place last week on November 30. According to the NZ Herald, the incident has impacted and compromised the data of the Ministry of Justice, the Ministry of Health, the NZ National Nurses Association, health insurer Accuro, and private industry group BusinessNZ.