Srsly Risky Biz: Wednesday, March 18

Attackers prey on COVID confusion, targeted attacks bypass MFA, the Voatz source code audit

Welcome to the first edition of Seriously Risky Business, your weekly batch of the big stories shaping cyber policy, curated by Brett Winterford.

Feedback welcome at editorial@risky.biz

Attackers prey on COVID confusion

If we hoped ransomware gangs would give hospitals a reprieve during a global health epidemic, prepare to be disappointed. Local Czech media reports that the University Hospital in Brno - the country’s second-largest - had to shut down and isolate systems and re-route some patients to counter a ransomware infection.

Predictably, State-sponsored attackers and cybercrime gangs have capitalized on the chaos caused by the COVID-19 pandemic. Attacks with COVID-themed lures have been attributed to known actors in Russia, China and North Korea, and to a large number of profit-motivated gangs. US Attorney General William Barr has urged the Department of Justice to prioritize prosecution of COVID-themed scams.

This week the Risky Biz team looked at the challenges of securing a (newly) remote workforce in response to the epidemic. See a replay of our livestream with Adam Boileau, Patrick Gray, Alex Stamos. (I also made a cameo to introduce myself.)

Targeted attacks bypass MFA

If there’s one take-away from our livestream, it’s the need to prioritise multi factor authentication (MFA) in the rush to offer remote access. That remains the case even as we see more reports of MFA being bypassed in targeted attacks.

Amnesty International published a study of phishing techniques used against journalists and human rights activists in Uzbekistan, which include use of reverse proxies to bypass MFA. Attackers established a MITM proxy between phishing victims and legitimate websites, stealing tokens generated from an authenticated session to log-in as the legitimate user.

While Amnesty recommends use of hardware security keys (which invalidate these types of attacks), it nonetheless notes that ANY use of MFA is a far more secure outcome than dismissing it altogether.

Source code audit validates concerns about mobile voting app

A second security audit has unearthed a litany of security vulnerabilities in Voatz, a mobile voting app piloted in several recent US elections.

Security firm Trail of Bits was commissioned by a philanthropic body that promotes mobile voting to audit the Voatz source code, as a follow up to an earlier test with a narrower scope by MIT researchers. ToB published 79 findings - a third of them rated as ‘high’ severity. Voatz’ CEO told Vice Motherboard he is comfortable accepting most of these risks - whether election officials or anyone else will is another matter. The fact a product like this was hurtling towards market dominance is a worrying development.

“Boring” trial of Russian hacker suspended

The trial of Yevgeny Nikulin, a Russian hacker the US indicted for breaches at Dropbox, LinkedIn and Formspring, isn’t smooth sailing for US prosecutors.

After exhaustive efforts to extradite Nikulin from the Czech Republic and two days of hearings in the US, the judge has complained about the prosecution’s evidence being so ‘boring’ that it put several jurors to sleep.

We’re not entirely sure what level of fireworks and intrigue the judge and jury were expecting: the trial has already heard of links between cybercrime actors and the FSB, between the accused and a Group-IB exec, and now a COVID-19 scare: one of the prosecution’s key witnesses - a Secret Service agent - had to be isolated after exposure to a person with COVID-19 symptoms, necessitating a two-day delay in the trial.

Vice publishes trove of phone unlock data

Vice Motherboard has made a healthy contribution to the ‘Going Dark’ debate, analyzing over 500 warrants in which US law enforcement sought to unlock a suspect’s iPhone.

Reporter Joseph Cox and researcher Izzie Ramirez combed all the cases to record whether data was successfully extracted. A slim majority were - indicating certain agencies have the necessary cracking tools to break into devices. Equally, the data shows these capabilities are not universally available across law enforcement or reliably effective, and that the price of unlocking tech appears to be on the rise. Vice’s sample data set demonstrates that taking a hard position on either side of the debate isn’t at all constructive.

Auto-updates for Wordpress plugins

In a new and long-overdue development, WordPress users can soon choose to auto-update plugins and themes.

Unfortunately, the world’s most popular CMS is also the world’s most vulnerable web application framework, largely because WordPress plugins are often orphaned or sold to actors with nefarious motives. Even if new plugins and themes can be auto-updated, legacy installs might take a decade to bleed out.

Auto-updates also introduce a new software supply-chain risk: now when your attacker buys or compromises a plugin you trust, you might automatically accept any change they make to the code.

Avast abandons AV engine over bug

Avast has removed an engine in its AV product that was designed to emulate the execution of JavaScript files before allowing them to run on user devices. The feature was culled after Google’s Travis Ormandy found that the AvastSvc.exe process ran untrusted code, but wasn’t sandboxed from anything else running on the device. Feeding it a malicious file could lead to code execution on the user’s device at the highest level of privilege. It’s probably not the worst thing to happen to Avast so far in 2020 - Project Zero has found the same class of bug in just about every AV engine on the market at some point.

Three reasons to actually be cheerful this week:

  1. Worm back in can (for now): Details of a wormable Remote Code Execution condition affecting Microsoft’s SMBv3 protocol were accidentally disclosed and promptly deleted in the March patch cycle. The good news is that Microsoft rushed out an emergency patch and many Windows 10 devices remain configured to run updates automatically (this only became optional in mid-2019). The only PoC we’ve seen at the time of writing abuses the vulnerability to create a DoS condition. The upshot is we probably won’t see a NotWannaRyuk worm destroy global supply chains during our pandemic.
  2. Medical devices need a check-up - From May, medical devices sold in the EU have to meet a set of basic security requirements. Vendors of pacemakers, insulin pumps and other connected medical devices must demonstrate compliance with minimum security standards and detail how they intend to support the devices in the future.
  3. SIM swappers in cuffs - Europol and law enforcement partners arrested 26 people accused of using SIM swapping to steal the one-time codes of victims to hack their bank accounts.

Shorts

Iranian RATs - The European Network of Transmission System Operators for Electricity (ENTSO-E) was most probably hacked by Iranian state actors, according to Cyberscoop. ENTSO-E didn’t attribute in their breach disclosure, but Cyberscoop have since drawn a line between ENTSO-E’s breach and recent threat analysis by Recorded Future to do it for them.

Russians outsourcing troll farms - Facebook discovered and removed from its network several dozen accounts in Ghana and Nigeria accused of being fronts for Russia’s banned troll farm, Internet Research Agency (IRA).

Russians trolls off the hook - The US has dropped charges against two Russian firms for election interference, over fears the trial might disclose the sources and methods used to gather evidence against them.

Almost anonymous - The Tor Project has patched a flaw in its browser that allowed JavaScript to run even if users configured it not to. JavaScript can and has been used in the past to fingerprint users that rely on Tor for maintaining anonymity.

Still flipping bits - Researchers have figured out ways to defeat TRR - the protection chip vendors use to prevent Rowhammer attacks. You can safely leave it to vendors to worry about their next move - there’s easier ways to pop a box.