Microsoft's Sociopathic Cybersecurity Pedantry
PLUS: Is Guacamaya a Chinese Info Op?
Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.
Microsoft's response to a string of security issues over the last two weeks makes it clear that security is still not a high priority at the company, despite lip service to the contrary.
In mid-October, security firm WithSecure announced it discovered that Microsoft Office 365 allows the use of the insecure Electronic Code Book (ECB) message encryption. ECB encryption is flawed and an attacker with access to a large number of messages may be able to analyse them to identify repeated patterns and then infer clear text of encrypted messages. Microsoft paid WithSecure a USD$5000 bug bounty but subsequently did not fix the problem.
Microsoft has some justification for its position here. ECB is used to support legacy applications, and Microsoft is rolling out replacements for the vulnerable Office Message Encryption (OME) service. Despite that, however, its communications on the subject have been terrible.
When asked about the issue, a Microsoft spokesperson told Bleeping Computer that the "rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary". This is possibly correct according to Microsoft's internal perception but is utterly useless for customers that may naively expect email encryption to actually protect content.
Microsoft added that "to help prevent abuse we recommend customers follow best security practices, including keeping systems up to date, enabling multi-factor authentication, and using a real time anti-malware product". Again, these are factually correct statements but irrelevant to email encryption and the risks it is meant to mitigate against.
Also, earlier this month, multiple security researchers discovered that Microsoft botched its protection against a privilege escalation technique known as Bring Your Own Vulnerable Driver. The BYOVD technique allows attackers to achieve ring 0 or kernel-level privileges by installing vulnerable drivers. Microsoft announced mitigations for Secured-core PCs in 2020, but it turns out these mitigations were never properly implemented — Microsoft intended to maintain a blocklist of vulnerable drivers but didn't.
Finally, last week security firm SOCRadar announced it had detected a misconfigured Azure Blob Storage bucket containing 2.4TB of Microsoft data. The information included communications between Microsoft and its customers, covering 65,000 companies in 111 countries. Microsoft minimised the breach in its response and said: "Our investigation found no indication customer accounts or systems were compromised". This is what you say if you are a sociopathic pedant and while it is technically correct, it is also misleading as it turns out the blob was indexed on Grayhat Warfare, a database that harvests publicly exposed buckets. No accounts or systems compromised, just your data.
Microsoft then attacks SOCRadar stating: "we appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue". Attacking the messenger is just a terrible look. Ars Technica has more complete coverage of Microsoft's response.
Back in September last year, we wrote:
Former AWS veteran Charlie Bell is joining Microsoft to lead a newly formed engineering organisation: Security, Compliance, Identity and Management. Hopefully this announcement is an indication that Microsoft will eventually deliver secure products again.
Should we give up hope now?
Guacamaya: The Real Deal or Faketivists?
A hacktivist group calling itself Guacamaya has been very active in recent months, leaking large quantities of data from mining companies and several Latin American governments. But looking closer, Guacamaya's actions align in a few ways with Chinese aims. So, a question we've been kicking around at Risky Business HQ is whether Guacamaya is indeed a legitimate hacktivist group or just someone's sock puppet. Spoiler alert: We think it's probably the real deal but there are a few red flags.
Guacamaya has been active since at least March this year, and in its first publicly known hack it compromised a mining company operating in Guatemala and shared documents obtained in the hack with Forbidden Stories, a collaboration network for journalists, which subsequently published a "Mining Secrets" series of articles.
The group has been on a tear across Latin America ever since. It compromised more mining and oil companies but also government departments and national police and military forces. These police and military breaches include the General Command of the Military Forces of Colombia, Mexico's Secretariat of National Defense, El Salvador's National Civil Police, the Peruvian Army, and the Joint Chiefs of Staff of the Chilean Armed Forces.
Hiram Alejandro, CEO of Mexican cyber security firm Seekurity, has been tracking Guacamaya's activities since June and told Seriously Risky Business that the leaks have had a big impact in Mexico. They revealed the Mexican government was spying on Mexican reporters and activist groups, including feminists. They also revealed corruption within the Mexican government, links between politicians and Mexican drug cartels, and also that the government had used Pegasus spyware, despite President Andrés Manuel López Obrador's denials.
The leaks have even had impacts in Australia. The Sydney Morning Herald reported that a leak from the Colombian Attorney General's office revealed the "identities and methods of secret agents working to stop international drug cartels from operating in Australia". Per the Herald:
The leak contains details of 35 Australian Federal Police operations, some ongoing, as well as surveillance reports from undercover agents, phone taps and payroll records for Colombian law enforcement officers. Many overseas police agencies are also affected.
Guacamaya typically releases its hacked data to the websites Enlace Hacktivista and Distributed Denial of Secrets (DDoSecrets). Each release is accompanied by a statement and sometimes a poem or video describing the hacking process. Initial Guacamaya statements focussed on environmental degradation caused by mining and the oppression of native peoples by the Global North. Later statements also identify Latin American military forces and government organisations as complicit in this oppression.
So far, so normal. What we've described so far is all compatible with a hacktivist group of above average competence on a tear. But given the long history of state-backed groups masquerading as activists, how can we be sure Guacamaya is actually a legitimate hacktivist group? There are a couple of red flags.
For starters, China has form when it comes to anti-mining influence campaigns. Back in June, we reported on a PRC campaign that "tried to motivate anti-mining sentiment targeting Australian, US and Canadian rare earth mining companies by stoking environmental concerns across social media including Twitter, Facebook and Instagram" (On Rare Earth Minerals Dominance, China Turns to Disinformation).
The use of Enlace Hacktivista to release stolen documents is also a bit suspect. The first leak ever published by the site came from Guacamaya, and the second leak was a dump of 200k-odd emails stolen from the Nauru police force. This anonymous hack and leak — as we discussed at the time — came just three weeks out from the 2022 Australian federal election. Australian cyber security company CyberCX (a former sponsor of this newsletter), however, examined the Nauru leaks and found "several anomalies that invite scepticism about the motivations of the threat actor and the integrity of the leaked data". Although CyberCX did not find any information linking the hack to a state actor, one plausible explanation is that PRC-backed actors might have been trying to influence Australia's election. (Australia has some controversial immigration policies that Nauru factors into.)
Oh, and Guacamaya used ProxyLogon to gain access to its first victim, a Swiss-based company that operates the Fenix mine in Guatemala. This exploit was widely used by PRC state-backed actors (although this is a pretty weak indicator, everyone loved ProxyLogon).
Nonetheless, there is an alignment of tactics and interests here.
Despite these red flags, however, it is not clear to us that the hacking of Latin American governments to reveal corruption would be in the PRC's interests. And Hiram Alejandro also pointed out that the information stolen from governments hosted on Enlace Hacktivista was only being released by the site to journalists and researchers. Guacamaya released a statement, Alejandro said, that access would be limited "because this information in the hands of narcs [drug cartels], could put at risk innocent people".
In fact, these days Enlace Hacktivista asks people to contact DDoSecrets to get access to Guacamaya's government-related leaks. Alejandro was confident that vetting was occurring as when he tweeted about some of his findings other people contacted him for the source information because they couldn't get access any other way.
"Some people contacted me asking me for the information because Enlace Hacktivista denied… them the information," he says.
And the (almost 2 and a half hour-long!) video that Guacamaya released for the hack of the Fenix mine makes us think that Guacamaya is legit. It provides hacking instructions to inspire others to emulate Guacamaya's actions and has a real Phineas Fisher vibe.
It is also, at times, funny. When they discovered Advanced IP Scanner was already installed on a target, Guacamaya commented that "sometimes living off the land feels more like glamping" (40:30). The group even vaped computers on Fenix's network three separate times, twice of those seemingly for comedic effect. The first time Guacamaya used Kaspersky's "Wipe Data" feature. The second time, while listing the options available Guacamaya wrote "Also, Bitlocker, being Microsoft's official ransomware offering, is allowed. We went with BitLocker since it seemed like more fun…" (1:24:20).
We've not yet seen a Chinese state-sponsored actor with a sense of humour.
Australian Health Insurance Breach Gets Whole of Government Response
The breach at Medibank Private, one of Australia's largest private health insurance companies, continues to get worse. The government's response to it, however, is very interesting.
The mid-October incident was initially thought to be a foiled ransomware attempt, but it now turns out that data from all 3.8m Medibank customers (and also former customers) may have been stolen. The attacker had access to customer data from both Medibank's AHM and Medibank Insurance brands including personally identifiable data such as names, addresses, dates of birth, medicare numbers and "significant amounts of health claims data". It is not yet clear how much of this data was stolen, but Medibank says it "we expect that the number of affected customers could grow substantially".
Medibank did not have cyber insurance and expects that the incident will cost it AUD$25-35m not including "further potential customer and other remediation, regulatory or litigation related costs". Medibank shares, which had been under a trading halt until yesterday, dropped 18% wiping out about AUD$1.75bn of market value.
The Australian Financial Review reports that initial investigations have found that the criminals purchased stolen credentials online and somehow bypassed MFA to gain access. The thieves set up two backdoors, then ran custom-built tools to run automated queries to extract data from Medibank databases.
So, a competent but not exceptional operation that wasn't detected until the data was being exfiltrated. The persons responsible claim to have nabbed 200GB of data! The only saving grace is that Medibank and its CEO have been pretty transparent and have steered clear of calling the hack "sophisticated". They must have listened when Australia's cyber security minister slapped down claims that the recent hack of Optus was such.
Medibank is offering a more extensive support package to affected customers than we've seen in other breaches, so it looks like the Australian government successfully used the recent Optus breach to set expectations that companies affected by data breaches will cover costs for affected customers. Beyond the standard free identity monitoring this includes financial support for those customers "who are in a uniquely vulnerable position as a result of this crime", mental health and wellbeing support, and reimbursement of fees for new identity documents. Medibank has also deferred premium increases by a couple of months.
This response has (so far) kept Medibank out of the government's crosshairs, with Cyber Security Minister Clair O'Neil describing the Medibank breach as a horrendous criminal "dog act".
But the government is not letting Medibank deal with this by itself. O'Neil has invoked the National Coordination Mechanism, a crisis response mechanism set up to deal with the complexities of the Covid pandemic, to coordinate a whole-of-government response. Agencies responding to the breach include the Australian Signals Directorate, the Australian Federal Police, Services Australia and the Department of Health, and we are pleased to see that some hounds have actually been released.
"I want to thank the Australian Signals Directorate and the Australian Federal Police on the intensive work that is underway to hunt down the attacker, they are undertaking a very significant operation," O'Neil said.
We've never seen a response like this in Australia, so it'll be interesting to see what such a comprehensive mobilisation of government resources can achieve.
Beyond the steps taken to coordinate a whole of government response and future strengthening of the Privacy Act (see Reasons to be Cheerful #1, below), another initiative we'd like to see is public reports into significant breaches, similar to the log4j report produced by the US Cyber Safety Review Board. The Office of the Australian Information Commissioner has announced it will investigate the Optus breach, so it would be good to see a public report on its findings.
Three Reasons to be Cheerful this Week:
- Australian government gets serious about privacy fines: This week's Federal budget contains AUD$5.5m for the Office of the Australian Information Commissioner to investigate the recent Optus breach. And the government also introduced legislation that will vastly increase the financial penalties for serious data breaches. Maximum fines will increase from AUD$2.2m to the greater of AUD$50m or 30% of company turnover. We are not a fan of indiscriminate fines, but the proposed penalties will definitely focus attention on cyber security issues. The legislation also gives government bodies greater enforcement and information sharing powers.
- GUAC to understand software supply chains: Google announced a new open source project called GUAC, the Graph for Understanding Artefact Composition, which aims to aggregate many different sources of software security metadata and make it easily accessible and searchable.
- Raccoon Infostealer arrest and indictment: The US Department of Justice announced the March arrest of Mark Sokolovsky, a Ukrainian national for his role in the Raccoon Infostealer malware-as-a-service operation. Sokolovsky was arrested in the Netherlands in March and the FBI, Dutch and Italian authorities concurrently dismantled Raccoon's infrastructure (more at Risky Business News).
Sponsor Section
In this video demo, Proofpoint's Executive Vice President of Cybersecurity, Ryan Kalember, walks Patrick Gray through Proofpoint's Nexus People Explorer. It helps to manage risk by showing who the most targeted and most vulnerable people are in your organisation.
Shorts
A Person Just Got Slapped With An FTC Consent Decree
The Federal Trade Commission has issued a proposed order against alcohol delivery service Drizly that is noteworthy for applying to its CEO, James Cory Rellas, even if he leaves Drizly and works elsewhere.
In a press statement, Samuel Levine, the Director of the FTC's Bureau of Consumer Protection said "our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness. CEOs who take shortcuts on security should take note."
Drizly and Rellas will be required to destroy unnecessary data, limit future data collection and implement and information security program. FTC Commissioner Christine Wilson issued a dissenting statement that disagreed with holding Rellas liable, but we are ok with it as those requirements don't seem much more than what responsible companies should be doing anyway.
Ars on Passkeys
Ars Technica has an article explaining Passkeys, Microsoft, Apple and Google's fledgling implementation of hardware-based secure logon. Passkeys promises to be both easier and more secure for users being resistant to phishing and credential stuffing attacks. We've celebrated the arrival of this standard before, but Ars examines how to practically use passkeys right now.
Some Long Reads
Andy Greenberg has the first instalment of a six-part series on the AlphaBay darknet market out on Wired. We are looking forward to the entire series.
ProPublica published a piece on the difficulties the FBI had building up its capabilities to counter cyber crime. Many of these difficulties were cultural — technical expertise was simply not valued. One former agent, for example, called civilian non-agent cyber experts "dolphins" as they were "highly intelligent and can’t communicate with humans".
State Department Carrots, FBI Sticks
Last week the FBI warned that an Iranian government-linked cyber company, Emennet Pasargad, may attempt to target US organisations. The State Department also announced a USD$10m reward for information about Emennet Pasargad members.
Emennet Pasargad was previously involved in US election interference and has been conducting hack and leak operations in Israel. More coverage at NBC News.
Risky Biz Talks
In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed (RSS, iTunesor Spotify) also publishes interviews.
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss internet giants and how their relationships with the state.
From Risky Biz News:
GitHub aflood with fake and malicious PoCs: If you're a security researcher or IT admin tasked with defending your network and you download proof-of-concept code from GitHub, there's a one in ten chance that you will download and run a fake or malicious exploit, according to the results of a sprawling study performed by academics from Leiden University in the Netherlands. (continued)
Iran nuclear agency hack: A hacktivist group calling itself Black Reward took credit for hacking Iran's Atomic Energy Organization and released more than 50GB of data containing emails, contracts, and construction plans related to Iran's Russian-backed nuclear power plant in Bushehr. The group also requested the release of recent political prisoners detained in the Mahsa Amini anti-government protests over the past month. The Iranian government confirmed the incident on Sunday.
URSNIF goes from banking trojan to backdoor, dreaming of ransomware profits: Researchers from security firm Mandiant have reported this week that URSNIF (aka Gozi, or Gozi/IFSB), one of the oldest and last few remaining banking trojan operations that were still active this year, has completely ditched its banking fraud-related features and now appears to operate as a basic backdoor trojan, the type of barebones malware typically used in Access-as-a-Service (AaaS) schemes that rent access to compromised devices.
The driving force behind this shift in malware economics was the rise of ransomware and enterprise network big-game hunting. As ransomware operators realized they could extort an obscene amount of money from companies and government networks, they started to look for ways into these networks.
It's all about the minimum amount of work you can perform for the largest profit. Banking/carding is now hard, thanks to banks, and ransomware is easy, thanks to a bazillion reasons.
Much more here as Catalin describes the drivers behind the demise of banking malware.