Srsly Risky Biz: Tuesday, November 24

UK military to attack cyber-enabled crime, The malware families that usually lead to ransomware, Congress leans on US Government buying power to clean up IoT security

Your weekly dose of Seriously Risky Business news is written by Brett Winterford, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation.

UK military to attack cyber-enabled crime

The UK Government has thrown a coming out party for its National Cyber Force (NCF), a military unit with a similar remit to US Cyber Command, confirming that the capability can be used in offensive security operations against criminal targets.

Established in April 2020 after two years of planning, the National Cyber Force comprises defence and intelligence personnel but can be used to disrupt cyber-enabled crime. British Prime Minister Boris Johnson included "organised crime" in a list of targets the NCF is authorised to pursue during a speech to the UK Parliament. The UK Government also noted that the NCF could be used to disrupt infrastructure used for the dissemination of child exploitation material.

We don't know precisely what threshold criminal activity must meet to warrant NCF operations, only that it needs to be serious enough for the NCF to obtain ministerial authorisation from the UK's Foreign Secretary.

What's clear is that across the Five Eyes, there is a determination to fuse defence, intelligence and law enforcement capabilities to counter cyber threats, as exemplified by ASD action against unnamed cybercrime groups and recent US Cyber Command operations against TrickBot. (That said, the TrickBot disruption was probably only possible because of a perceived risk to the US election, which falls under USCC's statutory authorisations.)

This approach provides a focal point for offensive security capability talent that is otherwise difficult and expensive for individual agencies to recruit and retain. It's also a sign that disrupting crime, as opposed to just investigating it, has been judged to be worthwhile tasking for UK government operators.

UK defence analyst and former GCHQ operator Marcus Willett observes that allowing military hacking units to "skirmish" with cybercriminals helps develop and refine offensive security skills that aren't authorised against state-backed actors as often. Turning organised crime syndicates, ransomware crews and CSAM peddlers into cyber clay pigeons for operator target practice sounds ok to us. Happy hunting, chaps! Pew pew! Jolly good.

The malware families that usually lead to ransomware

Catalin Cimpanu at ZDNet has catalogued the malware infections that are usually a precursor to a ransomware attack.

His cheat sheet lists the dominant loaders/droppers used to infect targets that historically have called a ransomware payload later in an attack. Catalin also included Cobalt Strike, a post-exploitation framework. If you detect any of the items on the list you might still be a few days or hours from a disruptive event.

Cimpanu, the most prolific cybersecurity reporter we follow, has developed a commendable knack for explaining the cybercrime ecosystem in simple, approachable ways. His recent write up of an Intel 471 report that tiers the capabilities of ransomware actors is also worth a read.

US Congress passes IoT security bill

The US Congress has passed a bill that will set minimum security requirements for any manufacturer of internet-connected devices that wants to do business with the US government.

The idea is to use the US government's purchasing power to motivate manufacturers of IoT devices to improve their product security.

The bill requires NIST to draft minimum requirements for secure development practices, identity management, patching and configuration management and review them every five years. Separately, NIST will draft additional requirements IoT vendors must meet for handling vulnerability reports.

The US Office of Management and Budget will align procurement rules with these new NIST standards. Agency CIOs can apply for waivers on national security grounds or if they can prove that the device will be secured using an "alternative and effective method".

There is a fairly broad global consensus about minimum security requirements for IoT devices, but governments are testing out different approaches to how they encourage manufacturers to comply with them.

The UK was first to publish a voluntary code of practice in 2018, an approach adopted by Australia (in September 2020) and the European Union Agency for Cybersecurity (in November 2020). Now the UK is weighing up whether 3 of the 13 requirements in its code should be mandatory. Singapore, meanwhile, launched a labelling system in October to let consumers make more educated purchasing decisions, an idea that was also recommended, but is yet to be implemented, in Canada. All of these countries have expressed a longer term preference for a global IoT security standard, but felt it prudent to enact national schemes first, before things get way out of hand.

BEC sinks Australian hedge fund

A small Australian hedge fund has gone out of business after falling victim to a BEC attack, which caused its largest institutional client to lose confidence in it.

Attackers gained access to Levitas Capitals' email system and requested the fund's trust (AET Corporate Trust) and administrator (Apex) pay several bogus invoices on its behalf over an eight-day period. According to Levitas' senior management, the staff at AET and Apex made very little effort to verify these unusual payment requests via an alternative channel before paying the funds into attacker-controlled accounts. (A simple phone call might have done the trick!)

A Pakistani national at the other end of the scam got away with AU$300k worth of cash and purchases before fleeing Australia. A further AU$7.5 million of funds (about 10 percent of funds under Levitas' management) was diverted to bank accounts in Hong Kong and Singapore through additional requests for payment, but thankfully its Australian bank was able to claw those funds back. Nonetheless, Levitas' largest institutional client (Australian Catholic Super) pulled its funds from Levitas in the wake of the attack.

AP10 still cloud-hopping

Surprise! Sanctions levied against APT10's operators have failed to deter the group's activity, according to a report authored by Symantec and confirmed by its peers at Mandiant.

APT10 (aka Cicada, MenuPass) is a Chinese state-sponsored cyber espionage group that has stolen untold volumes of intellectual property from Western targets, principally by compromising their managed IT services in what became known as the "Cloud Hopper" campaign.

Symantec traced recent APT10 activity to attacks on a large number of organisations, all with Japanese ownership or operations, between October 2019 and October 2020.

The more recent of these attacks abused the NetLogon vulnerability to move through infected networks.


Australia's Office of National Intelligence is looking for a full-time IT Systems Engineer. You'll need to be an Australian citizen with broad knowledge of operating systems, virtualisation tools and cloud services.

Silent patches, crossed wires expose Cisco kit

Attackers are scanning the internet for vulnerable versions of Cisco Security Manager, a tool used to configure Cisco switches, routers, firewalls and IPS sensors.

Cisco Systems silently patched several bugs in Security Manager during a recent update, but didn't inform the researcher who found them, Florian Hauser. Cisco didn't reference the bugs in its release notes and didn't initially publish any security advisories on the bugs.

Hauser, believing that Cisco had failed to act on disclosures he'd made as far back as July 2020, published PoCs for the bugs. Cisco then advised him that one of the bugs, a directory traversal vulnerability (CVE-2020-27130), was silently patched in release 4.22.

Cisco is yet to patch a second of Hauser's disclosures: a deserialisation vulnerability (CVE-2020-27131) in all but the most recent (April 2020) release of Cisco Security Manager that "could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device".

We're unsure how the communication went so badly wrong between Cisco and Hauser, but the net result isn't ideal for defenders.

Changing of the guard at CISA

Brandon Wales is now the acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), after the agency's director, Chris Krebs, his deputy Matthew Travis and assistant director Bryan Ware were fired by the outgoing Trump administration.

Wales is the senior-most civil servant at CISA, so technically White House officials can't dismiss him. The Trump administration could appoint a replacement director, but that would be a very short-term appointment.

Android Messages joins inexorable march to E2EE

Google has upgraded Android Messages, the default messaging app on most Android devices, to use end-to-end encryption for messages sent between users. It won't be switched on for users in China or Russia. Android Messages uses the Signal Protocol for E2EE over RCS, the IP-based protocol designed to replace SMS. The Signal Protocol is fast becoming a de facto standard: it is also used to secure WhatsApp messages (all users), Signal messages (all users) and "Secret Conversations" on Facebook Messenger.

Ghost accounts zapped

Facebook and Cisco have patched bugs in their communication platforms that allowed for unlisted third parties to eavesdrop on conversations. Cisco fixed three bugs that together allowed an attacker that knows the URL of the scheduled WebEx call to listen in as an unlisted "ghost" user. Facebook, meanwhile, paid Project Zero’s Natalie Silvanovich a US$60,000 bounty for reporting a bug in Messenger for Android that  allowed for eavesdropping if both the attacker and the target were Facebook friends and logged in at the same time.

Vendors scramble to patch Tianfu Cup bugs

US tech vendors are patching the last of the bugs torched on stage at the Tianfu Cup earlier this month. Mozilla and Google were quick to patch bugs in Firefox and Chrome, while Microsoft patched a large number of local privilege escalation bugs a few days later that were reported by Tianfu Cup participants. (A caveat: we're not sure if the Microsoft bugs were disclosed before or during the event). VMware took about 11 days to patch bugs disclosed in ESXi during the competition. We're unsure of Apple's progress.

Singapore wants answers on Muslim Pro data

Singapore's privacy regulator the PDPC is investigating Bitsmedia, the Singapore-based company that publishes the Muslim Pro app, in response to Joseph Cox's story about mobile apps that sell user data to US defence contractors via third party brokers. In the first of two lengthy statements, Bitsmedia claimed that all data sold to data broker X-Mode Social was anonymised, but it chose to terminate its agreement with X-Mode anyway. A few days later Bitsmedia claimed that X-Mode Social stopped selling data to US defence contractors before Muslim Pro was enrolled in X-Mode's program.

Americold down with ransomware

Americold, one of the United States' largest cold storage logistics companies, is recovering from a ransomware attack. Bleeping Computer reported that the company was unable to answer its phones or email and lost access to inventory management and order fulfilment systems after an attack on November 16. The company told shareholders that it proactively shut off its network in an attempt to contain the infection.

This week's long read

Netherlands-based FOX-IT published a comprehensive report on the activities of TA505, based largely on forensics collected from attacks on two Dutch universities. In last week's newsletter we said that the malspam campaigns attributed to TA505 are distinct from the use of CLOP ransomware, but in FOX-IT's view, the same actors are involved "from initial infection to monetisation."